Elliptic Curves Lecture Notes - Warwick Insite · Q, but it is not an elliptic curve, since it does not have a single rational point. In fact, it has points over R and all the Q p,

Elliptic Curves

Notes for the 2004-5 Part III course

28/01/2005 – 16/03/2005

Contents

1 Definitions and Weierstrass equations 31.0 Motivation (non-examinable) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Definitions: Elliptic curves and the generalised Weierstrass equation . . . . . . . . 4

2 The Group Law on an Elliptic Curve 7

3 Elliptic Curves over C 133.1 An elliptic curve over C is a Riemann surface . . . . . . . . . . . . . . . . . . . . . . 133.2 Another way to construct a torus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.3 Main result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.4 To go from C/Λ to a corresponding elliptic curve E/C . . . . . . . . . . . . . . . . . 15

4 Heights and the Mordell-Weil Theorem 18

5 Heights and Mordell-Weil, continued 21

6 The curve E′ (missing) 23

7 Completion of the proof of Mordell-Weil 247.1 Notation and Recapitulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247.2 The Map α . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.3 The Image of α . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.4 The Exact Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267.5 Determination of Im(α) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

8 Examples of rank calculations 29

9 Introduction to the P-adic numbers 319.1 Valuations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

9.1.1 Crucial property of ultrametric spaces . . . . . . . . . . . . . . . . . . . . . . 319.2 Explicit representation of Qp as formal power series . . . . . . . . . . . . . . . . . . 32

9.2.1 The sequence corresponding to a p-adic integer . . . . . . . . . . . . . . . . 339.2.2 Hensel’s lemma (simplest form) . . . . . . . . . . . . . . . . . . . . . . . . . 33

9.3 Algebraic extensions of Qp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339.3.1 Classification of unramified extensions . . . . . . . . . . . . . . . . . . . . . 34

10 Introduction to formal groups 3610.0 Motivation (non-examinable) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3610.1 Complete rings, local rings and Hensel’s lemma . . . . . . . . . . . . . . . . . . . . 3610.2 Formal groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3710.3 Groups from formal groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

11 Formal groups continued 4011.1 The Formal Group Law of an Elliptic Curve . . . . . . . . . . . . . . . . . . . . . . . 4011.2 Elliptic curves over the p-adics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

1

12 Points of finite order 4412.0 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4412.1 Points of finite order on E(pZp). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

13 Minimal Weierstrass Equations 4713.1 Criteria for minimality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4813.2 Reduction mod p on points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

14 Reduction mod p II and torsion points over algebraic extensions 50

15 Isogenies 5315.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5315.2 Isogenies are surjective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5315.3 Isogenies are group homomorphisms . . . . . . . . . . . . . . . . . . . . . . . . . . 5415.4 Isogenies have finite kernels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5515.5 Quotients of elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5515.6 Complex multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

16 Dual isogenies and the structure of the torsion subgroup 5816.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5816.2 Revision of last lecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5816.3 The dual isogeny and deg[m] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5916.4 The structure of the torsion subgroup . . . . . . . . . . . . . . . . . . . . . . . . . . 61

17 Hasse’s Theorem 62

18 Introduction to Galois cohomology 65

19 Cohomology and Mordell-Weil 66

20 Completion of the proof of Mordell-Weil 69

21 Sarah vs. Zacky 70

2

Lecture 1

Definitions and Weierstrassequations

David Loeffler28 / 01 / 2005

1.0 Motivation (non-examinable)

What is an elliptic curve? As we shall see in the next section, when we give formaldefinitions, an elliptic curve is more or less the same thing as an algebraic curveof genus 1.

Why is the genus important? It turns out that the genus of a curve determinesits properties to a remarkable extent – in particular, by the trichotomy g = 0, g = 1or g ≥ 2.

Genus 0

Over an algebraically closed field k, all genus 0 curves are isomorphic to theprojective line P1

k. So they are parametrised by rational functions. Over a non-algebraically-closed field this is not quite true, but similar strong results hold.For example, curves of genus 0 over Q can always be embedded into P1 as conicsections; and if there is a single rational point on the curve, then by consideringlines through this point we can give a rational parametrisation. The question ofwhether there are any rational points at all is solved by the Hasse-Minkowskitheorem, which states that a quadratic form (in any number of variables) has ra-tional solutions if and only if it has solutions over R and all of the p-adic fieldsQp.

Genus 1

The genus 1 curves are, therefore, in some sense the simplest nontrivial algebraiccurves; and they have a very rich structure about which much is known andstill more remains to be found. For example, a genus 1 curve over Q can have norational points, finitely many, or infinitely many; but if there are any (so the curve

3

is elliptic), the rational points form an abelian group, and this is always finitelygenerated (the Mordell-Weil theorem). It is an open problem whether the rank ofthis group can be arbitrarily large; but there are algorithms to determine it for agiven curve. As for the torsion subgroup, it was recently shown by Mazur thatthere can never be more than 16 rational points of finite order, and there exists asimple algorithm to find them all.

Genus 2 and higher

The curves of genus ≥ 2 are much more difficult to work with, and the theory ismuch less complete. One result that illustrates the difference between this caseand the genus 1 case is Faltings’ theorem, which states that for curves definedover Q, the set of rational points is finite; but no practical algorithm is yet knownfor finding them.

1.1 Definitions: Elliptic curves and the generalised Weierstrassequation

The results of this section properly belong to algebraic geometry, so we will notprove them here. Proofs may be found in Wilson’s IIB Algebraic Curves notes, orin Silverman’s book. Hereafter k represents some field (which is not necessarilyalgebraically closed and may have positive characteristic).

Definition 1.1. An elliptic curve over k is a nonsingular projective algebraic curve Eof genus 1 over k with a chosen base point O ∈ E.

Remark. There is a somewhat subtle point here concerning what is meant by apoint of a curve over a non-algebraically-closed field. This arises because in alge-braic geometry, it is common to identify points of a variety with maximal idealsin its k-algebra of regular functions; but if k 6= k, this algebra has some maximalideals which do not correspond to points of the original curve, but to Galois orbitsof points satisfying the equations of the curve but with coordinates in extensionfields L/k. In certain cases, such as the second example below, every maximalideal is of this type. However, we don’t want to allow O to be such a point; it’sgot to be a proper point defined over the base field k. I attempted to sidestep thisissue in the lectures by using the phrase “k-rational point”, but it seems this onlyresulted in more confusion. I hope this remark goes some way towards explain-ing this.

Examples:

1. The curve in P2Q defined by the homogenous cubic Y 2Z = X3 − XZ2 is a

nonsingular curve of genus 1; taking O = (0 : 1 : 0) makes it into an ellipticcurve.

2. The cubic 3X3 + 4Y 3 + 5Z3 is a nonsingular projective curve of genus 1 overQ, but it is not an elliptic curve, since it does not have a single rational point.In fact, it has points over R and all the Qp, but no rational points, and thusshows that the Hasse-Minkowski principle does not hold for elliptic curves.

4

(We will see why this is when we encounter the Shafarevich-Tate group laterin the course.)

We shall see later that every genus 1 curve can be embedded into P2 as a cubic.Since there are many plane cubics, we shall consider a particular class of cubiccurves which will turn out to be sufficient:

Definition 1.2. A generalised Weierstrass equation over k is an equation of the form

E : Y 2Z + a1XY Z + a3Y Z2 = X3 + a2X

2Z + a4XZ2 + a6Z

3

where the coefficients ai ∈ k.

Observe that such an equation defines a curve with a single point at infinity,O = (0 : 1 : 0). So it certainly has a rational point. It is easily seen that the curveis nonsingular at O; but it may be singular elsewhere. Conversely, any cubicsatisfying these conditions must be in Weierstrass form.

Definition 1.3. For a Weierstrass equation as above, define the following quantities:

b2 = a21 + 4a2 b8 = a2

1a6 + 4a2a6 − a1a3a4 + a2a23 − a2

4

b4 = 2a4 + a1a3 ∆ = −b22b8 − 8b34 − 27b26 + 9b2b4b6

b6 = a23 + 4a6

Then ∆ is the discriminant of the generalised Weierstrass equation.

Proposition 1.4. The Weierstrass equation defines a nonsingular curve if and only if∆ 6= 0.

Proof. (sketch) This result is not difficult if the characteristic of k is not 2. We havechecked that the unique point at infinity is nonsingular, so we work with thecorresponding affine curve. The change of variables y′ = 1

2(y − a1x− a3) reduces

the equation to the simpler form y2 = 4x3 + b2x2 + 2b4x+ b6, where the bi’s are as

defined above. This is evidently nonsingular if and only if the cubic on the righthas no repeated roots; but the discriminant of the cubic is 16∆.

(For a proof valid in characteristic 2, see Silverman, appendix A.)

Proposition 1.5. Any elliptic curve E over k is isomorphic to the curve in P2k defined

by some generalised Weierstrass equation, with the base point O of E being mapped to(0 : 1 : 0). Conversely any non-singular generalised Weierstrass equation defines anelliptic curve, with this choice of basepoint.

Proposition 1.6. Two Weierstrass equations define isomorphic curves if and only if theyare related by a change of variables of the form

x′ = u2x+ r

y′ = u3y + u2sx+ t

with u, r, s, t ∈ k, u 6= 0.

5

We shall assume from now on that all our elliptic curves are embedded in P2k

via a generalised Weierstrass equation. We shall use the notation E(k) for the setof points in P2

k lying on the curve E. (That is, the set of k-rational points; see theremark following the definition, above.) Note that this will include the point Oat infinity. Where L/k is a field extension, we define E(L) in the obvious way, asthe set of points in P2

L lying on E.I’ll conclude with a lemma that will be needed in the next lecture. (Warning:

this is stated in a rather misleading manner in Coates’s 2003 notes.)

Proposition 1.7. Let C be any cubic curve in P2k. If k is algebraically closed, any line

in P1k intersects C at precisely three points, counted with multiplicity. If k is not alge-

braically closed, then this need not be the case, but if a line intersects C at two points itmust intersect it at a third.

(This fact will be vital to the definition of the group law in the next lecture.)

6

Lecture 2

The Group Law on an Elliptic Curve

Tom Ward31 / 01 / 2005

Definition of the Group Law

Let E be an elliptic curve over a field k. Last lecture we learned that we mayembed E into P2

k as a smooth plane cubic, given by the generalised Weierstrassequation (?):

E : Y 2Z + a1XY Z + a3Y Z2 = X3 + a2X

2Z + a4XZ2 + a6Z

3

(ai ∈ k) with a unique point at infinity O = (0 : 1 : 0).We also saw (at the end of the last lecture) that any line intersecting E at two

points must also meet it at a third; in particular, if I have two points P , Q on E,I can draw a line through them, and I know this will intersect the curve at somethird point.

I can also draw a tangent to E at a point P , and I know that it will meet E inprecisely one other point (since the tangent at P intersects E at P with multiplic-ity 2.)

Keep this in mind as you consider the following proposition.

Proposition 2.1. There exists a binary operation ⊕ on E(k) such that:(i) P ⊕Q = Q⊕ P(ii) P ⊕O = P(iii) If a line L meets E at points P,Q,R, then (P ⊕Q)⊕R = O(iv) Given P ∈ E(k), there exists R ∈ E(k) such that P ⊕R = O(Then we write R = P )(v) (P ⊕Q)⊕R = P ⊕ (Q⊕R)Therefore, (E(k),⊕) is an Abelian Group.

The proof I will give of this proposition uses a powerful result from algebraicgeometry (the Riemann-Roch Theorem for curves,) and we postpone it to the endof this section. You could provide a more elementary proof by working with theformulas for P ⊕Q that we derive in the next section; but it would be hard work,and the algebraic geometric proof is more illuminating.

7

How To Add Points on the Curve

Given P,Q ∈ E(k) explicitly, we naturally want to know if we can find a formulafor the point P ⊕Q. This is easily done, and we’ll see an example in a moment.

Firstly, we want to be able to invert points. For this we need to know when aline L meets E at the point O at infinity.

Lemma 2.2. The lines in the plane that meet E at the point O = (0 : 1 : 0) at infinity,are precisely the lines x = ξ (for ξ ∈k.)

Proof. Any line L in the plane is given by an equation:

L : αx+ βy + γ = 0

(α, β, γ ∈ k)with α, β not both zero.

This line has projective equation

L : αX + βY + γZ = 0

Therefore, O lies on L⇔ β = 0In this case, α 6= 0 so dividing by α gives us an equation for L of the form

x = ξ.

Example: E: y2 + y = x3 − x (an elliptic curve over Q)P = (0, 0)Q = (−1,−1)We want to find P ⊕Q.The line going through P andQ is clearly y = x. This must meet E somewhere

else. Put y = x into the equation for E:

x2 + x = x3 − x⇒ x3 − x2 − 2x = 0⇒ x = 0 or − 1 or 2.

So the line meets E at R = (2, 2) as well.By the definition of ⊕, P ⊕Q⊕R = O.So R = -(P ⊕Q), and we want to invert R.The line x = 2 meets E at R, and the lemma tells us it meets E at O too. It will

also meet E at a third point, S say. Then R⊕ S ⊕O = O,so R⊕ S = O,so S = R = P ⊕Q.Put x = 2 into the equation for E: we get

y2 + y = 6⇒ y = 2 or − 3⇒ P ⊕Q = (2,−3)

In this way we can come up with a general formula for adding two points:

Proposition 2.3.If P1 = (x1, y1) and P2 = (x2, y2) are points on E, where E has equation (?) as before,

the following formulae hold:

8

(i) P = (x1,−(a1x1 + a3)− y1)(ii) If x1 = x2 but P1 6= P2, then P1 ⊕ P2 = O(iii) If x1 6= x2 and P1 6= P2, then the line through P1 and P2 is y = λx+ ν, where:

λ =y2 − y1

x2 − x1

ν =x2y1 − x1y2

x2 − x1

Also, if P1 = P2, then the tangent to E at P1 is y = λx+ ν, where:

λ =3x2

1 + 2a2x1 + a4 − a1y1

2y1 + a1x1 + a3

ν =−x3

1 + a4x1 + 2a6 − a3y1

2y1 + a1x1 + a3

Finally, if the line through P1 and P2 (respectively the tangent at P1 = P2) is y =λx+ ν, then P1 ⊕ P2 = (x3, y3) where:

x3 = λ2 + a1λa− a2 − x1 − x2

y3 = (a1 − λ)x3 − ν − a3

Example:E : y2 + y = x3 − x again. Let P = (0, 0)We find 2P = (1, 0), 3P = (−1,−1), 4P = (2,−3), 5P = (1

4,−5

8), 6P = (6, 14) and

7P = (−59, 8

27).

In fact, P has infinite order in E(Q).

Proof of the Formulae (boring bits left to the reader!):(i) We use the lemma as we did in the earlier example: the line x = x1 meets

E at P1,O, and P1, so put x = x1 into the equation (?) for E and solve for the yco-ordinate of P1.

(ii) If x1 = x2 but P1 6= P2, then (by the lemma) P1 and P2 lie on a line throughO, so P1 = P2

(iii) For P1 6= P2, solve the simultaneous equations y1 = λx1 + ν and y2 =λx2 + ν.

For the tangent at P1, differentiate equation (?) to find the gradient λ, then findν.

For the co-ordinates of P1 ⊕ P2, put y = λx+ ν into equation (?). Solving for xand y, we get the co-ordinates of the point (P1⊕P2). Using formula (i) to invertit gives the final formula.

Results About the Group E(k)

Theorem 2.4. The Mordell-Weil TheoremLet E be an elliptic curve over Q. then E(Q) is a finitely generated abelian group.

Knowing this theorem, we may write E(Q) ∼= T × Zg

where T is the torsion subgroup of E(Q); and we define the rank of E to be g.

9

Examples:

(i) (rank= 0) E : y2 + y = x3 − x2, with ∆ = −11: E(Q) = 〈(0, 0)〉 ∼= Z5Z

(ii) (rank= 1) E : y2 + y = x3 − x, with ∆ = 37: E(Q) = 〈(0, 0)〉 ∼= Z

(iii) (rank= 2) E : y2 +y = x3−x2−2x, with ∆ = 389: E(Q) = 〈(0, 0), (1, 0)〉 ∼= Z2

(iv) (rank= 3)E : y2+y = x3−7x+6, with ∆ = 5077: E(Q) = 〈(0, 2), (1, 0), (2, 0)〉 ∼=Z3

Conjecture: There exist elliptic curves of arbitrarily high rank.

Points of Order 2

Lemma 2.5. Let E be an elliptic curve over k, given by equation (?) as before. LetP = (x1, y1) ∈ E(k)

Then P has order 2 in E(k)⇔ 2y1 + a1x1 + a3 = 0

Proof. P has order 2 ⇔ the tangent at P meets O⇔ the tangent is of the form x = ξ

⇔ ( dydx

)P =∞⇔ 2y1 + a1x1 + a3 = 0 (using formula (iii)) .

Now, (2y + a1x+ a3)2 = 4x3 + b2x

2 + 2b4x+ b6 (the bi are the same as in lecture1)so P has order 2⇔ this cubic vanishes at P .

The cubic has discriminant 16∆.

If char(k) 6= 2 then the cubic has 3 distinct roots in k (the algebraic closure of k.)Therefore there are 3 non-trivial points of order 2 in E(k).Let E2(k) be the subgroup of E(k) generated by the points of order 2. Then the

above result can be written:

E2(k) ∼=Z2Z× Z

2Z

If char(k)=2, then P has order 2⇔ b1x21 + b6 = 0

If b2 6= 0 then we have one solution, and so

E2(k) ∼=Z2Z

If b2 = 0 then b6 6= 0 (because b6 = 0 would imply ∆ = 0,)therefore there are no non-trivial points of order 2 in E(k)(Note: If E(k) has a non-trivial point of order 2, it is said to be ordinary. If not,

E is said to be supersingular.)

10

A Proof of the Group Law

This section assumes knowledge of some algebraic geometry, specifically the the-ory of divisors on curves and the Riemann-Roch theorem. Background for thiswould be provided, for example, by reading Prof Wilson’s Algebraic Curvescourse notes from the web (and it is his notation that I use.) The address ishttp://www.dpmms.cam.ac.uk/˜pmhw/ .

Prof Wilson gives a proof of the group law on page 19 of these notes. I herepresent Dr Milne’s proof from his internet notes. Essentially they use the samearguments, but in my opinion Milne’s proof, while being less neat, is clearer.

The group law is “not an accident” in the sense that there is a subgroup of thedivisor class group of E that naturally induces a group structure on E(k), as weshall see.

A Proof of the Group Law Let V be a smooth, projective curve over a field k, and Da divisor on V . Define

L(D) = {f ∈ k(V ) : (f) +D ≥ 0} ∪ {0}

l(D) = dimk L(D)

We let KV denote the canonical divisor on V , and g the genus of V .

Theorem 2.6. Riemann-Roch

l(D) = 1− g + deg(D) + l(KV −D)

Now let E be a smooth, projective curve of genus 1, and fix a point O on E (soE is an elliptic curve.)

Riemann-Roch with D = KE tells us deg(KE) = 2g − 2 = 0.So, if D is a divisor on E with deg(D) > 0 then deg(KE −D) < 0 and therefore

l(KE −D) = 0.Therefore, if deg(D) > 0, Riemann-Roch tells us:

l(D) = deg(D)

From now on, we letD be a divisor of degree 0. Then deg(D+O) = 1 so l(D+O) =1 (by the above remarks.)

Therefore we have f ∈ k(E), unique up to multiplication by a constant, suchthat (f) +D +O ≥ 0.

But deg((f) +D+O) = 1 so this divisor must be a point P . Hence, there existsa unique point P ∈ E such that

(f) +D +O = P

⇒ D ∼ P −O(where ∼ denotes linear equivalence of divisors.)

Therefore, if we define

Cl0(E) ={Divisors of degree 0 on E}

∼

11

we have shown there exists a bijection

E(k)→ Cl0(E)

P 7→ P −OSince Cl0(E) is an abelian group, E(k) inherits an abelian group structure from itvia this bijection.

Claim: This group structure agrees with the operation ⊕

Proof. It is sufficient to show that if P ⊕Q = R then (P −O) + (Q−O) ∼ (R−O)P ⊕ Q = R means we have a line L1 meeting E at P , Q and S, and a line L2

meeting E at S, R, and O (for some point S.)The linesLi can be regarded as linear forms, that is, homogeneous polynomials

of degree one. Set h = L1

L2∈ k(E). h has zeroes at the zeroes of L1, and poles at

the zeroes of L2. Therefore we can write down the principal divisor of h on E:

(h) = P +Q+ S − S −O −R⇒ 0 ∼ P +Q−O −R⇒ R−O ∼ (P −O) + (Q−O)

so we are done.

12

Lecture 3

Elliptic Curves over C

David Geraghty02 / 02 / 2005

The contents of this lecture are not strictly part of the course but it would bea shame to complete the course without briefly describing the very rich theoryof elliptic curves over C. Due to time constraints I have not been able to providemany proofs but they can all be found in chapter VI of Silverman.

3.1 An elliptic curve over C is a Riemann surface

Let E be an elliptic curve over C. Since the characteristic of C is not equal to 2 or3, we can assume that E has a generalised Weierstrass equation of the form

y2 = x(x− 1)(x− λ)

where λ 6= 0, 1 (since E is nonsingular). We can regard E ⊂ P2(C) as the Riemannsurface of the function

f(z) =√z(z − 1)(z − λ).

What does this surface look like topologically? Since f is double valued, wetake two copies of P1(C) with appropriate branch cuts (which give single valuedbranches of f ). Then we glue along the branch cuts to get the Riemann surface.Note that if we make branch cuts along the lines from 1 to λ and from 0 to∞ thenwe can define a single valued holomorphic branch of f . Fattening out the cutsgives a sphere with two discs removed. Glueing two such punctured spherestogether along the boundaries of the discs gives a torus. Editor’s note: This wasaccompanied by a diagram in the original version, which James Cranch has kindly xfigged,but I can’t seem to get it to successfully import.)

Notes:

1. Any elliptic curve over C is topologically equivalent to a torus. However dif-ferent elliptic curves will in general be non isomorphic as Riemann surfaces.

2. In the last lecture we saw that the addition on E is given by everywherelocally defined rational functions. This endows E with the structure of a

13

1-dimensional complex Lie group i.e. E is both a Riemann surface and agroup, and the group operations are given by holomorphic maps of Riemannsurfaces.

3.2 Another way to construct a torus

Let Λ ⊂ C be a lattice, that is, a discrete additive subgroup of C which containsan R basis for C. Equivalently, Λ = Zω1 + Zω2 for some ω1, ω2 ∈ C which arelinearly independent over R. Then the quotient space C/Λ is a Riemann surfacewhich topologically is just a torus.

Notes:

1. If Λ1,Λ2 ⊂ C are lattices, then C/Λ1,C/Λ2 are homeomorphic but not neces-sarily isomorphic as Riemann surfaces.

2. By definition, Λ ⊂ C is an additive subgroup, so ordinary addition on C de-scends to give a ‘group law’ on C/Λ. The group operations are obviouslygiven by holomorphic functions and therefore C/Λ is a 1-dimensional com-plex Lie group.

3.3 Main result

Our main result for today will be the following:

Theorem 3.1. Let E be an elliptic curve over C. Then E is isomorphic as a complex Liegroup to C/Λ for some lattice Λ ⊂ C. Conversely, given any lattice Λ ⊂ C, there existsan elliptic curve E over C such that C/Λ and E are isomorphic as complex Lie groups.

Assuming this for the moment we can prove the following proposition, whichhas consequences for elliptic curves over Q:

Proposition 3.2. Let E be an elliptic curve over C and let m ≥ 1 be an integer. Then

1. As abstract groups

Em(C) := {P ∈ E(C) |mP = O}= Z/mZ× Z/mZ

2. The multiplication-by-m map

[m] : E −→ E

P 7−→ mP

has degree m2.

Proof. 1. We know that Em(C) isomorphic to C/Λ, for some lattice Λ ⊂ C.Hence

Em(C) ' (C/Λ)m ' (1

mΛ/Λ) ' Z/mZ× Z/mZ

14

2. By the Riemann-Hurwitz formula we have

2g(E)− 2 = deg[m](2g(E)− 2) +R

where R denotes the ramification and g denotes the genus. Since the genusg(E) equals 1 we get that R = 0, that is, [m] is unramified. Therefore thedegree of [m] is equal to the number of points in the inverse image ofO. Thisis just m2 by part 1.

Remark. If E is an elliptic curve over Q, then E(Q) is a subgroup of E(C). To seethis, observe that the formula for addition on an elliptic curve is given by rationalfunctions with coefficients in Q. Hence

Em(Q) ≤ Z/mZ× Z/mZ

as abstract groups. This agrees with what we found in the m = 2 case in the lastlecture.

3.4 To go from C/Λ to a corresponding elliptic curve E/C

We now turn our attention to theorem 3.1. To begin with, we sketch the proof ofthe second statement in the proposition.

Let Λ ⊂ C be a fixed lattice. We make the following definitions:

Definition 3.3. An elliptic function (relative to Λ) is a meromorphic function f(z) onC such that

f(z + w) = f(z) ∀z ∈ C, w ∈ Λ

Definition 3.4. The Weierstrass ℘-function (relative to Λ) is defined by the series

℘(z) =1

z2+∑ω∈Λω 6=0

(1

(z − ω)2− 1

ω2

)

The Weierstrass ℘-function will allow us to construct an elliptic curve whichis isomorphic to C/Λ. First we need the following result which is stated withoutproof:

Proposition 3.5. The series defining ℘(z) converges absolutely and uniformly on com-pact subsets of C− Λ. It defines a meromorphic function on C having a double pole withresidue 0 at each lattice point and no other poles. Furthermore, ℘(z) is an even ellipticfunction.

By expanding (z − w)−2 − w−2 about z = 0 we see that the Laurent series for℘(z) about z = 0 is

℘(z) =1

z2+

∞∑k=1

(2k + 1)G2k+2z2k

whereG2k =

∑ω∈Λω 6=0

1

w2k.

15

Therefore we see that

℘(z) =1

z2+ 3G4z

2 + h.o.t.

℘(z)3 =1

z6+ 9G4

1

z2+ 15G6 + h.o.t.

℘′(z)2 =4

z6− 24G4

1

z2− 80G6 + h.o.t.

where h.o.t. means ‘higher order terms’. By taking a suitable linear combinationof these functions we can remove the negative part, and indeed the constant term,of the Laurent series. The appropriate linear combination is

f(z) = ℘′(z)2 − 4℘(z)3 + 60G4℘(z) + 140G6.

Observe that f(z) is elliptic, holomorphic on C − Λ (since ℘(z) is), holomorphicand vanishing at 0 (by construction) and thus holomorphic on all of C (by Λ-periodicity). Let ω1, ω2 be a Z basis for Λ and letD be the fundamental parallelogram

D = {r1ω1 + r2ω2 | 0 ≤ r1, r2 < 1}.

Then D contains exactly one coset representative for each element of C/Λ. There-fore, since f(z) is elliptic, we have

f(C) = f(D) = f(D).

But D is compact and f is continuous so f is bounded. So by Liouville’s theorem,and the fact that f vanishes at z = 0, we have that f(z) = 0 for all z i.e. we havean algebraic relation between ℘ and ℘′:

℘′(z)2 = 4℘(z)3 − g2℘(z)− g3

where g2 = 60G4 and g3 = 140G6. We are now in a position to state the resultwhich gives us the second part of theorem 3.1:

Proposition 3.6. Using the above notation:

1. The polynomial 4x3 − g2x− g3 has distinct roots.

2. Let E be the elliptic curve over C given by the equation

y2 = 4x3 − g2x− g3.

Then the map

φ : C/Λ −→ E ⊂ P2(C)

z 7−→ [℘(z) : ℘′(z) : 1]

is an isomorphism of complex Lie groups.

To go from E/C to C/Λ for some lattice Λ

We now sketch the proof of the first statement of theorem 3.1. Let E be an ellipticcurve over C. We may assume that E is given by the equation

y2 = x(x− 1)(x− λ).

16

As we observed at the beginning of the lecture, E is homeomorphic to the torus.Therefore, we can take two paths α and β on E which form a Z basis forH1(E,Z).Let ω be the differential 1-form

ω =dx

y.

Then ω is an everywhere regular differential form on E (for a proof, see Wilson’snotes pg’s 16/17). We define two complex numbers

ω1 =

∫α

ω and ω2 =

∫β

ω

called periods of E and let Λ = Zω1 + Zω2. It can be shown that ω1, ω2 are linearlyindependent over R and hence Λ is a lattice. Fix a point P0 ∈ E(C) and define themap

ψ : E(C) −→ C/Λ

P 7−→∫γ

ω + Λ

where γ is any path on E joining P0 to P . If δ is another such path, then γδ−1 ishomologous to nα+mβ for some n,m ∈ Z. This implies∫

γ

ω =

∫δ

ω + nω1 +mω2

and so ψ is well defined. It turns out that ψ is an isomorphism of complex Liegroups, as required!Remark. By working on the surface E(C) we have been able to interpret the inte-gral ∫

dx

y=

∫dx√

x(x− 1)(x− λ).

Integrals of this form arise when one attempts to compute arc length on an ellipse.It was in this context that elliptic curves first arose and this explains why they arecalled ‘elliptic’ curves.

17

Lecture 4

Heights and the Mordell-WeilTheorem

Giora Moss04 / 02 / 2005

Transcribed by David Loeffler – so kudos should go to Mr. Moss but abuse to me.Our aim in this section is to show that an elliptic curve can’t have ‘too many’

points. We will do this by introducing a measure of the size of a point, which willallow us to prove that there aren’t too many ‘small’ points. To do this we firstneed a notion of the ‘size’ of a rational number.

Definition 4.1. Let α ∈ Q×, α = mn, m, n ∈ Z, (m,n) = 1. Then the height

H(α) = max(|m|, |n|). Defining H(0) = 1, we have an integer-valued function on Qsuch that for any k there are only finitely many α such that H(α) < k.

Definition 4.2. Let E be an elliptic curve over Q; then if P = (xP , yP ) ∈ E(Q) wedefine H(P ) = H(xP ). Setting H(O) = 1, we again have the property that there areonly finitely many P such that H(P ) < k.

The main theorem of this section is the following, which shows that our notionof height interacts well with the group law on the curve.

Theorem 4.3. There exists constants c1, c2 > 0 (depending on the curve E) such that

c1 <H(P ⊕Q)H(P Q)

H(P )2H(Q)2< c2.

Remark. If we define h(P ) = logH(P ), then this tells us that h satisfies the paral-lelogram law to within O(1).1

To prove this, we need several more lemmas:

Definition 4.4. If α, β ∈ Q with α = mt

, β = nt, (m,n, t) = 1, then we defineH(α, β) =

max(|m|, |n|, |t|).1A logical question to ask now is “is this because h is withinO(1) of some genuine quadratic form h?” It turns out that

such an h, the canonical height, does exist, and may be defined (following Tate) as limn→∞ 4−nh(2nP ). This has manypleasant properties, among them that h(P ) = 0 if and only if P is a torsion point.

18

Lemma 4.5. There are constants d1, d2 > 0 such that for all α, β we have

d1 <H(α+ β, αβ)

H(α)H(β)< d2.

Proof. Exercise. [Editorial comment: the best upper and lower bounds are in fact2 and

√5−12

respectively. This statement is much less interesting than it mightsound!]

Lemma 4.6. We have

xP⊕Q + xPQ =(xP + xQ)(b4 + 2xPxQ) + b2xPxQ + b6

(xP − xQ)2

xP⊕QxPQ =x2Px

2Q − b4xPxQ − b6(xP + xQ)− b8

(xP − xQ)2

Proof. Since we’re working over Q we can assume WLOG that the curve is givenby the equation y2 = x3 + 1

4b2x

2 + 12b4x + 1

4; note that this change is made by

adjusting y alone, and the x coordinates of points are unaffected.Now substituting in the equations of the line through P and Q we can derive

the stated formulae.

Lemma 4.7. In Q[xP , xQ] the three polynomials (xP − xQ)2, (xP + xQ)(b4 + 2xPxQ) +b2xPxQ+b6 and x2

Px2Q−b4xPxQ−b6(xP+xQ)−b8 have no common zero with coordinates

in Q.

Proof. If there is such a common zero, then xp = xq = x and the other two polyno-mials reduce to q1(x) = 4x3+b2x

2+2b4x+b6 = 0 and q2(x) = x4−b4x2−2b6x−b8 =0. But x2P = q2(xP )/q1(xP ). Since there are 3 nontrivial 2-torsion points no can-cellation can occur.

We shall write xP + xQ = U = U1

U3and xPxQ = U2

U3for integers Ui where

(U1, U2, U3) = 1.

Lemma 4.8. We have xP⊕Q + xPQ = A1

A3, xP⊕QxPQ = A2

A3, where the Ai are defined

by

A1 = U1U3b4 + 2U1U2 + b2U2U3 + b6U23

A2 = U22 − b4U2U3 − b6U1U3 − b8U2

3

A3 = U21 − 4U2U3

Proof. Calculation.

It follows that:

Lemma 4.9. Regarded as polynomials in the Ui, the Ai have no common zero except(0, 0, 0).

We can now apply the Nullstellensatz to see that the Ai must generate an idealwhose radical is the ideal (U1, U2, U3). Hence:

19

Lemma 4.10. There exists an integer p and polynomials Gij ∈ Q[U1, U2, U3] of degree psuch that

Up+2i =

∑j

GijAj

or equivalently polynomials gij ∈ Z[U1, U2, U3] and a positive integer d such that

dUp+2i =

∑j

gijAj .

Proof. The only statement requiring proof is that theGij have rational coefficients;but this is obvious, since a priori they are defined over Q and so their coefficientsgenerate a finite extension of Q. Applying the trace map we obtain polynomialswith rational coefficients.

20

Lecture 5

Heights and Mordell-Weil, continued

Giora Moss07 / 02 / 2005

Let’s assume from now on that P 6= ±Q.Observe that H(xP⊕Q + xPQ, xP⊕QxPQ) = max(|A1|, |A2|, |A3|)/γ, where γ =

(A1, A2, A3). Using the Nullstellensatz identity above, we see that γ|d, so γ isbounded by a quantity independent of the particular points we are considering.

Lemma 5.1. There exist constants c1, c2 such that

c1H(U, V )2 ≤ max(A1, A2, A3) ≤ c2H(U, V )2.

Proof. It is clear that there is some c1 such that max(|A1|, |A2|, |A3|) ≤ c1H(U, V )2.For the other direction, we use the identities of Lemma 4.10; we have

|dUp+2i | ≤ c3 max(|A1|, |A2|, |A3|)H(U, V )p,

so

dH(U, V )p+2 ≤ d (|U1|p+2 + |U2|p+2 + |U3|p+2) ≤ c2 max(|A1|, |A2|, |A3|)H(U, V )p

and the result follows.

Since 1 ≤ γ ≤ d, we have

c′1H(U, V )2 ≤ H(xP⊕Q + xPQ, xP⊕QxPQ) ≤ c′2H(U, V )2

for some new constants c′1, c′2.Now applying Lemma 4.5, the result of Theorem 4.3 follows, modulo the cases

where P = ±Q, which we now consider. Since H(P ) = H(−P ) it is sufficient toshow that there are constants d1, d2 such that

d1 ≤H(2P )

H(P )4≤ d2.

We can freely ignore the finitely many points where 60P = O, so we assume

21

that O, ±P , ±2P , ±3P , ±4P , ±5P are all distinct. So the quantities

λ1 =H(3P )H(P )

H(2P )2H(P )2λ2 =

H(4P )H(2P )

H(P )2H(3P )2

λ3 =H(5P )H(3P )

H(P )2H(4P )2λ4 =

H(5P )H(P )

H(2P )2H(3P )2

are all bounded above and below by nonzero constants. But

λ1λ22λ3λ

−14 =

H(3P )H(P )

H(2P )2H(P )2·H(4P )2H(2P )2

H(P )4H(3P )4· H(5P )H(3P )

H(P )2H(4P )2·H(2P )2H(3P )2

H(5P )H(P )=H(2P )2

H(P )8,

and (4.3) is finally proved.We are now in a position to prove the Mordell-Weil theorem under a certain

plausible assumption, which we shall prove in the next lecture.

Theorem 5.2. Assume that E(Q)/2E(Q) is finite. Then E(Q) is finitely generated.

Proof. Let Q1, . . . , Qn be the elements of E(Q)/2E(Q), and suppose R is any pointon the curve. Set P1 = R. We construct a sequence Pj as follows: Pj has anexpression in the form Qij + 2S for some ij ∈ {1, . . . , n} and S ∈ E(Q); takePj+1 = S and repeat the process.

So for each m we obtain

R = Qi1 + 2Qi2 + · · ·+ 2m−2Qim−2 + 2m−1Pm.

However, for some constants c, d, e, f we can write

H(Pm)4 ≤ cH(2Pm)

= cH(Pm−1 Qim−1)

≤ dH(Pm−1)

2H(Qim−1)2

H(Pm−1 ⊕Qim−1)

≤ eH(Pm−1)2 ≤ f

[H(Pm−1)

2

]4

So at least one of H(Pm) ≤ 12H(Pm−1) and H(Pm) ≤

√f must hold. The former

cannot be true for every m; so E(Q) is generated by the finite set {Q1, . . . , Qn} ∪{P ∈ E(Q)|H(P ) ≤

√f}.

22

Lecture 6

The curve E′ (missing)

David Rufino09 / 02 / 2005

I have mislaid my copy of the notes for this one – DL

23

Lecture 7

Completion of the proof ofMordell-Weil

Zacky Choo11 / 02 / 2005

In this lecture, covering the next 4 sections of these notes, will be concernedin completing the proof of the Mordell-Weil theorem, in the case of curves with arational point of order 2. In the following lecture, we will look at some examples,explicitly calculating the rank of some elliptic curves.

7.1 Notation and Recapitulation

O point at infinityE(Q) set of rational points on an elliptic curve plus O.2E(Q) {P ⊕ P |P ∈ E(Q)}(Q×)2 the multiplicative group of nonzero square rational numbers.

Recall from lecture 5, that we have shown that if E(Q)/2E(Q) is finite, thenE(Q) is a finitely generated abelian group. From this time forth, we assume thatE has at least one point of order 2. This implies that we can write E and E ′ (thedual of E) as follows,

E : y2 = x3 + ax2 + bx

E ′ : y2 = x3 + a′x2 + b′x

where a′ = −2a and b′ = a2 − 4b, as defined in lecture 6. Also in lecture 6, wedefined the maps φ : E → E ′, given by

φ(P ) =

{ (y2

x2 ,y(x2−b)x2

)if P = (x, y), P 6∈ {O, (0, 0)}

O if P ∈ {O, (0, 0)},

and ψ : E ′ → E, the natural analogue. We then proved that φ and ψ are grouphomomorphisms, ψφ(E(Q)) = 2(E(Q)), and the following two statements.

1. (0, 0) ∈ φ(E(Q))⇔ b′ = a2 − 4b ∈ (Q×)2

2. If u 6= 0, then (u, v) ∈ (E ′(Q)) lies in φ(E(Q))⇔ u ∈ (Q×)2

which has the natural analogue for ψ.

24

7.2 The Map α

Our aim is to show that E(Q)/2E(Q) is finite. To this end, we will relate thisgroup with other groups like E ′(Q)/φ(E(Q)) via an exact sequence, then applythe index formula. As one can guess, the exact sequence will have maps like φand ψ, but we lack one more map, which we will call α.

Definition 7.1. Given an elliptic curve E ′ : y2 = x3 + a′x2 + b′x, as above, define thefollowing map

αE′ : E ′(Q)→ Q×/(Q×)2

where αE′(O) = 1, αE′(0, 0) = b′ and αE′(x, y) = x if x 6= 0. Also, we define αE :E(Q)→ Q×/(Q×)2 to be the natural analogue.

Lemma 7.2. αE′ is a group homomorphism, with kernel precisely φ(E(Q)).

Proof. We need to show that ∀ P , Q in E(Q), αE′(P ⊕Q) = αE′(P )αE′(Q).We first show that αE′(P ) = α−1

E′ (P ). This is trivial if P ∈ {O, (0, 0)}. Sincewe are working in Q×/(Q×)2, α−1

E′ (P ) = αE′(P ). Then we note that if x 6= 0,(x, y) = (x,−y), thus α−1

E′ (P ) = x = αE′(P ).It then suffices to show that ∀ P , Q in E(Q),

αE′(P )αE′(Q)αE′(R) = αE′(P ⊕Q⊕R) = 1

where R = P ⊕Q.Suppose P ,Q andR have co-ordinates (x1, y1), (x2, y2) and (x3, y3) respectively,

and that they lie on the line y = mx+ c, then the xi’s are the roots of the followingequation,

(mx+ c)2 = x3 + ax2 + bx

This implies that c2 = x1x2x3. Thus if xi 6= 0 for i = 1, 2, 3, αE′(P )αE′(Q)αE′(R) =x1x2x3 = 1. If WLOG, R = (0, 0), then c = 0 and x1x2 + x1x3 + x2x3 = a2− 4b = b′,therefore αE′(P )αE′(Q)αE′(R) = x1x2b

′ = (b′)2 = 1.To get the statement regarding the kernel, apply the statements about φ from

the previous section/lecture.

Corollary 7.3. αE′ induces an injection E ′(Q)/φ(E(Q)) ↪→ Q×/(Q×)2.

7.3 The Image of α

Note that by the Corollary, we know that |E ′(Q)/φ(E(Q))| = |Im(αE′)|. In partic-ular, if we can show that the image of αE′ is finite, we can ultimately show thatE(Q)/2E(Q) is finite.

Lemma 7.4. Let (x, y) be any point with co-ordinates in Q satisfying

y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6, ai ∈ Z.

Then ∃m,n, e ∈ Z, e ≥ 1, (m, e) = (n, e) = 1 such that x =m

e2, y =

n

e3.

25

Proof. We start with x = mr, y = n

ss.t. (m, r) = (n, s) = 1 (always possible) and

consider the factorisation of r and s.Let p be a prime.Let pa be the exact power of p in r, and pb be the exact power of p in s.Note that a > 0⇔ b > 0.The exact power of p in the denominator of x3 + a2x

2 + a4x+ a6 is p3a.If a ≥ b, the power of p in the denominator of y2 + a1xy + a3y is at most p2a,contradiction.So b > a, and the exact power of p in the denominator of y2 + a1xy + a3y is p2b.Therefore, 2b = 3a, so ∃ dp ∈ N s.t. b = 3dp and a = 2dp.Finally, let e =

∏p

pdp . Thus r = e2 and s = e3.

Lemma 7.5. Let n′ = $(b′) = number of distinct prime divisors of b′. Let p1, p2, . . . , pn′be the distinct primes dividing b′. Let W ′ be the subgroup of Q×/(Q×)2 generated byp1, p2, . . . , pn′ . Then Im(αE′) ⊂ W ′.

Proof. Let (x, y) ∈ E ′(Q), x = me2, y = n

e3, e ≥ 1, (m, e) = (n, e) = 1, x 6= 0.

Then plugging this into the equation for E ′, we get

n2 = m(m2 + a′me2 + b′e4)

Let p be a prime.If p|m and p 6 |(m2 + a′me2 + b′e4),⇒ p|n2 ⇒ p2|n2 ⇒ p2|m.If p|m and p|(m2 + a′me2 + b′e4),⇒ p|b′e4 ⇒ p|b′.Hence, m = w2εpδ11 p

δ22 . . . p

δn′n′ ,

where ε = ±1, w ∈ Z, δi ∈ {0, 1}, ∀ 1 ≤ i ≤ n′.

Corollary 7.6. |Im(αE′)| ≤ 2n′+1 and hence |E ′(Q)/φ(E(Q))| ≤ 2n

′+1.

7.4 The Exact Sequence

First off, note that everything we have proven for αE′ has a direct analogue forαE . Now finally, we put together all we know about φ, ψ and α to give us thefollowing theorem.

Theorem 7.7. Let n = $(b) and n′ = $(b′). Then

|E(Q)/2E(Q)| ≤ 2n+n′+1+p where p =

{1 if b′ ∈ (Q×)2

0 if b′ 6∈ (Q×)2

Proof. The sequence E(Q)φ−→ E ′(Q)

ψ−→ E(Q) induces the following exact se-quence:

0→ {O, (0, 0)}⊂E(Q)

↪→ E(Q)2φ−→ {O, (0, 0)}

⊂E′(Q)

α′−→ E ′(Q)

φE(Q)

ψ−→ E(Q)

2E(Q)

αE−→ Im(αE)→ 0

where E(Q)2 is the set of points of order 2 in E(Q)and α′ is much akin to αE′ and can be explicitly described as bringing O to Oand (0, 0) to O or (0, 0), depending on whether (0, 0) is in Im(φ), which, in turn,

26

depends on whether b′ is in (Q×)2.Searching for the points of order 2 on E : y2 = x3 + ax2 + bx, we check that|E(Q)2| = 4 if a2 − 4b ∈ (Q×)2 and |E(Q)2| = 2 if a2 − 4b 6∈ (Q×)2

Note that Im(αE′) ∼=E ′(Q)

φE(Q)and Im(αE) ∼=

E(Q)

ψE ′(Q), thus by the index formula,∣∣∣∣ E ′(Q)

2E(Q)

∣∣∣∣ = |E(Q)2||Im(αE)||Im(αE′)|

2× 2≤ 2n+n′+1+p.

Corollary 7.8. IfE(Q) has at least one point of order 2, thenE(Q) is a finitely generatedabelian group.

Notation: We write E(Q) = ∆ × ZgE , where ∆ is the torsion group and gE isthe finite rank of E.

Theorem 7.9. The rank gE is given by the formula

2gE =|Im(αE)||Im(αE′)|

4.

Proof.E(Q)

2E(Q)=

∆

2∆×(

Z2Z

)gE

= E(Q)2 ×(

Z2Z

)gE

.

7.5 Determination of Im(α)

Given an elliptic curve E that has at least one point of order 2, we have seen fromthe last theorem that if we are able to determine Im(αE) and Im(αE′), then wecan determine the rank gE . In this section, we will explain how we can explicitlydetermine Im(αE) and Im(αE′).

Recall that we can write E and E ′ as follows:

E : y2 = x3 + ax2 + bxE ′ : y2 = x3 + a′x2 + b′x

Lemma 7.10. The equationN2 = b1M4+aM2e2+b2e

4 has a solution for some b1, b2, N,M, e ∈

Z, e > 0, b1b2 = b, if and only if (b1M

2

e2,b1MN

e3) ∈ E(Q).

Proof. Consider y2 = x3 + ax2 + bx.

y2 =b1M

2

e2

(b21M

4

e4+ab1M

2

e2+ b

)=b21M

2

e6(b1M

4 + aM2e2 + b2e4)

=b21M

2N2

e6.

27

The lemma implies that if N2 = b1M4 + aM2e2 + b2e

4 has a solution, then b1is in Im(αE). However, the converse is not immediately obvious. This is easilyfixed by the following lemma.

Lemma 7.11. Suppose (x, y) ∈ E(Q) and αE(x, y) = b1, then the equation N2 =b1M

4 + aM2e2 + b2e4 has a solution for some N,M, e ∈ Z, e > 0, b1b2 = b.

Proof. First off, note that by Lemma 7.5 on page 26, we know that b1 divides b. ByLemma 7.4 on page 25, and using our hypothesis, we can write

x =b1M

2

e2, y =

n

e3,where e > 0, (M, e) = (n, e) = (b1, e) = 1

We plug this into y2 = x3 + ax2 + bx, and after some algebraic manipulation, weget n2 = b21M

2(b1M4 + aM2e2 + b2e

4). Note that all the variables are integers, andwe thus deduce the lemma.

Remark. Using a similar method, we can show that given (x, y) ∈ E(Q), andsetting b1 = (b,m), we can find a solution for N2 = b1M

4 + aM2e2 + b2e4 such

that (M, e) = (N, e) = (b1, e) = (b2,M) = (N,M) = 1.

Corollary 7.12. The equation N2 = b1M4 + aM2e2 + b2e

4 has a solution for someb1, b2, N,M, e ∈ Z, e > 0, b1b2 = b, if and only if b1 is in Im(αE).

Remark. The Corollary is still true if we replace αE by αE′ and b by b′.

28

Lecture 8

Examples of rank calculations

Zacky Choo14 / 02 / 2005

We note from Lemma 7.5 on page 26 that Im(αE) (resp. Im(αE′)) is contained ina finite set generated by−1 and the prime divisors of b (resp. b′). Corollary 7.12 onthe page before will be the main tool in the determination of the image of α, andwhile it is sufficient, a few remarks would help simplify our working.Remark. Note that 1, b ∈ Im(αE) since αEO = 1 and αE(0, 0) = b. Also since αE isa group homomorphism, Im(αE) obeys group laws, that is, if x, y ∈ Im(αE), thenso is xy. Again, the remark holds true if we replace αE by αE′ and b by b′.

Example 1 E : y2 = x3 − x First we determine Im(αE). b = −1 ⇒ Im(αE) ⊂{±1}By the remark above, Im(αE) = {±1}, thus |Im(αE)| = 2. Next, we determineIm(αE′). We have E ′ : y2 = x3 + 4x. b′ = 4⇒ Im(αE′) ⊂ {±1,±2}.

We need only consider the equation N2 = b1M4 + aM2e2 + b2e

4 for b1 = −1, 2by the above remark, but we’ll just check all the cases anyway.

b1 = 1 : N2 = M4 + 4e4 N = 2,M = 0, e = 1b1 = −1 : N2 = −M4 − 4e4 No solutions, by considering positivityb1 = 2 : N2 = 2M4 + 2e4 N = 2,M = e = 1b1 = −2 : N2 = −2M4 − 2e4 No solutions, by positivity

Therefore, |Im(αE′)| = {1, 2} = 2.Then by Theorem 7.9 on page 27, 2gE = (2× 2)/4⇒ gE = 0.

Example 2 E : y2 = x3 − 17x. b = −17 ⇒ Im(αE) ⊂ {±1,±17}. We need onlyconsiderN2 = b1M

4+aM2e2+b2e4 for b1 = −1. b1 = −1 : N2 = −M4 + 17e4 N = 4,M = e = 1

Therefore, |Im(αE)| = |{±1,±17}| = 4.E ′ : y2 = x3 + 4 · 17x. b′ = 4 · 17 ⇒ Im(αE′) ⊂ {±1,±2,±17,±2 · 17}. We need

only consider the generators b1 = −1, 2. [Note 17 ≡ b′ mod (Q×)2].b1 = −1 : N2 = −M4 − 4 · 17e4 No solutions by positivityb1 = 2 : N2 = 2M4 + 2 · 17e4 N = 6,M = e = 1

Therefore, |Im(αE′)| = |{1, 17, 2, 2 · 17}| = 4. Therefore, gE = 2.

29

Example 3 E : y2 = x3− 226x b = −2 · 113⇒ Im(αE) ⊂ {±1,±2,±113,±2 · 113}.We need only consider b1 = −1, 2.

b1 = −1 : N2 = −M4 + 226e4 N = 15,M = e = 1b1 = 2 : N2 = −2M4 + 113e4 N = 9,M = 2, e = 1

Therefore, |Im(αE)| = 8.E ′ : y2 = x3 + 4 · 226x. b′ = 23 · 113 ⇒ Im(αE′) ⊂ {±1,±2,±113,±2 · 113}. We

need only consider b1 = −1, 2. [Note 2 · 113 ≡ b′ mod (Q×)2].b1 = −1 : N2 = −M4 − 23 · 113e4 No solutions by positivityb1 = 2 : N2 = 2M4 + 4 · 113e4 N = 22,M = 2, e = 1

Therefore, |Im(αE′)| = 4. Therefore, gE = 3.

Example 4 E : y2 = x3 +px , where p is a prime, p ≡ 5 mod 8. b = p⇒ Im(αE) ⊂{±1,±p}. We need only consider b1 = −1. b1 = −1 : N2 = −M4 − pe4 No solutions

Therefore, |Im(αE)| = |{1, p}| = 2.E ′ : y2 = x3 − 4px. b′ = −4p ⇒ Im(αE) ⊂ {±1,±2,±p,±2p}. We need only

consider the generators b1 = −1, 2 and p. Note −p = b′ mod (Q×)2, so it is suffi-cient to check when b1 = 2 and p. (Checking at b1 = −1 is equivalent to checkingat b1 = p). Suppose b1 = 2, then consider N2 = 2M4 − 2pe4.

⇒ N2 ≡ 2M4(mod p)⇒(

2M2

p

)=

(2

p

)=

(N2

p

)= 1

However,(

2

p

)= (−1)(p2−1)/8 = −1, i.e., contradiction. Suppose b1 = p, then

consider N2 = pM4 − 4e4 Therefore, depending on whether this equation has asolution, |Im(αE′)| = |{1,−p}| = 2 or |Im(αE′)| = |{±1,±p}| = 4, which impliesgE = 0 or 1. We know that there exist solutions of N2 = pM4 − 4e4 for the firstfew primes.

p N M e5 1 1 113 1 3 129 1 5 137 3 151 353 1 7 1

Conjecture: For all E : y2 = x3 + px, p ≡ 5 mod 8, gE = 1.

30

Lecture 9

Introduction to the P-adic numbers

Chernyang Lee16 / 02 / 2005

Transcribed and edited by David Loeffler from Chernyang’s photocopied notes.The p-adic numbers can be approached from two perspectives: as completions,

or as formal power series.

9.1 Valuations

Let p be a rational prime. Then we define the p-adic valuation νp on Q to be themap νp : Q → Z ∪ {+∞} defined by νp(0) = +∞ and νp(p

n rs) = n, where n ∈ Z

and (r, p) = (s, p) = 1. It’s easily checked that νp(xy) = νp(x) + νp(y).Define the p-adic absolute valuation | · |p by |x|p = p−νp(x). So |xy|p = |x|p|y|p.

Proposition 9.1. Defining dp(x, y) = |x− y|p, (Q, dp) is a metric space.

Proof. We must check the following are satisfied:

1. dp(x, y) ≥ 0 with equality iff x = y: clear.

2. dp(x, y) = dp(y, x): clear.

3. dp(x, z) ≤ dp(x, y) + dp(y, z): we shall show that a stronger result in factholds, that dp(x, z) ≤ max (dp(x, y), dp(y, z)). This is an easy check from thedefinition, since if pr divides x− y and y − z it certainly divides x− z.

A space satisfying the stronger condition of (3) above is known as an ultramet-ric space. It’s clear that equality occurs unless dp(x, y) = dp(y, z), so in an ultramet-ric space “all triangles are isosceles”. Ultrametric spaces have a number of usefulproperties that make analysis in these spaces much easier than in R:

9.1.1 Crucial property of ultrametric spaces

a sequence {an} in an ultrametric space (X, d) is Cauchy if and only if d(an, an+1)→0; and if an → a and b 6= a, then d(an, b) = d(a, b) for all sufficiently large n.

31

Proof. 1. The “only if” is trivial; so assume d(an, an+1)→ 0. By induction, for allm ≥ n we have d(an, am) ≤ max {d(an, an+1), d(an+1, an+2), . . . , d(am−1, am)},which is < ε for all sufficiently large n. Hence {an} is Cauchy.

2. Since d(an, a) → 0, for all sufficiently large n we have d(an, a) < d(a, b), sod(an, b) = d(a, b) by the isosceles triangles remark above.

Completion of (Q, dp)

If {xn}, {yn} are both Cauchy sequences in (Q, dp) we write {xn} ≡ {yn} if dp(xn, yn)→0. It’s easy to check that this is an equivalence relation, and if R is the ringof Cauchy sequences with pointwise addition and multiplication, the set of se-quences equivalent to 0 is a maximal ideal. So the quotient is a field – the p-adicnumbers Qp.

We extend the absolute value | · |p to Qp in the obvious way, as lim |xn|p – thisis well-defined and extends the valuation on Q by the second half of the aboveresult.

We can now define

Zp = {x ∈ Qp | |x|p ≤ 1}Mp = {x ∈ Qp | |x|p < 1}

Proposition 9.2. Zp is a subring of Qp. Mp is the unique maximal ideal of Zp, so Zp isa local ring, the ring of p-adic integers.

Proof. Again this is routine verification; the fact that Zp is a subring follows as theextended absolute value still satisfies |x+y|p ≤ max(|x|p, |y|p) and |xy|p = |x|p|y|p,and that Zp is local follows since every element not in Mp is invertible in Zp.

9.2 Explicit representation of Qp as formal power series

Again let p be a rational prime; then we can define a p-adic number to be a formalpower series

α =∞∑

n=−M

ampm

where ai are integers such that 0 ≤ ai ≤ p− 1.When this is a finite formal sum, then in an obvious sense it represents a ra-

tional number; but not all rationals are of this form (indeed, only those whosedenominator are a power of p). However we shall see that every rational doeshave a unique expansion in this form, which eventually repeats to the right.

Let T be the ring of such formal series, with the obvious algebraic operationssuggested by the notation. Then we can define a valuation ‖·‖p on T by ‖α‖ = p−m

where am is the first nonzero coefficient of α.To any α we associate the sequence of truncated sums Si =

∑i−M aip

i. Thesequence {Si} is then Cauchy with respect to the valuation ‖ · ‖ and tends to α.

Now, we have seen that there is a natural map from the rationals with denom-inator a power of p into a dense subset of T ; and the two valuations agree on

32

this set. It’s an easy exercise to check that such rationals are dense in Q in thetopology induced by | · |p, and since T is evidently complete with respect to thevaluation ‖ · ‖p and in, we obtain an isomorphism between Qp and our ring T offormal series.

Thus we can equate Qp with T ; then we have the identifications

Zp =

{α ∈ T | α =

∑i≥0

aipi

}

Mp =

{α ∈ T | α =

∑i>0

aipi

}= pZp

9.2.1 The sequence corresponding to a p-adic integer

Interpreting α ∈ Zp as the limit of the sequence S0, S1, . . . as defined above (wherethe Si are now integers), we clearly have Si = Si+1 mod pi+1. For convenience weshall write this as si = α mod pi+1.

Conversely, given any sequence of integers Si satisfying this compatibility re-quirement, they form a Cauchy sequence in Qp, so they determine a unique p-adic integer α such that α = Sn mod pn+1. So we have an alternative definitionof Qp as the inverse limit of the groups Z/pnZ with the obvious reduction mapsZ/pn+1Z→ Z/pnZ.

9.2.2 Hensel’s lemma (simplest form)

Theorem 9.3. Given a polynomial f(t) ∈ Z[t], and some s0 ∈ Z such that f(s0) =0 mod p, with f ′(s0) 6= 0 mod p, then there is some α ∈ Zp such that f(α) = 0 andα = s0 mod p.

Proof. We shall construct by induction a sequence si such that f(si) = 0 mod pi+1

and si = si−1 mod pi. Then this defines an element of Zp with f(α) = 0 mod pn forall n, so f(α) = 0.

The base case is given by hypothesis; so we assume case n = k is true. Then

f(sk + cpk+1) = f(sk) + pk+1cf ′(sk) mod pk+2

= pk+1(t+ cf ′(sk)) mod pk+2 for some t.

Now by hypothesis f ′(sk) = f ′(s0) 6= 0 mod p, so it is invertible mod p andwe may choose c such that f(sk + cpk+1) = 0 mod pk+2. So it is choose sk+1 =sk + cpk+1.

Remark. Observe that there is only one possible choice of c(modp) at each stage,so there is a unique solution in Zp reducing to the given root in Fp.

9.3 Algebraic extensions of Qp

If L/Qp is a finite algebraic extension of degree n, we can define a valuation on Lby

|β|p =∣∣NL/Qpβ

∣∣1/n ;

33

Then the following facts are true:

1. This really is a valuation, and it is the unique extension of | · |p to L.

2. OL = {β ∈ L | |β|p ≤ 1} is a subring of L and is the integral closure of Zp inL.

3. OL is a local ring, and its unique maximal ideal is PL = {β ∈ L | |β|p < 1},which is the unique prime of L above p.

4. The quotient OL/PL (the residue field of L) is a finite algebraic extension ofFp of the same degree as L/Qp.

For a proof, see Milne’s online notes “Algebraic Number Theory”, Thm 7.29(p105).Remark. Although this is stated for a finite extension, we can perform the con-struction in an arbitrary algebraic extension; simply define |x|p via the valuationcorresponding to some finite extension L/Qp containing x. By the tower law fornorms, it does not matter which L we choose, and we thus obtain a valuation onthe algebraic closure Qp.

Now, if L is such an extension of Qp, then L has only one prime, so there aretwo possibilities for how p factors in L. Either pOL is prime, in which case it mustbe PL; or it is PeL for some e > 1. In the first case we say the extension L/Qp isnonramified; in the second case it is ramified.

One common application of this result is to the splitting of primes in numberfields. If K is a number field and p is a rational prime, then p will factorise inK as a product

∏Peii of prime ideals of K. We can complete K at any of these

primes Pi to obtain a complete field KPiwhich is an algebraic extension of Qp,

corresponding to adjoining to Qp a root of one of the irreducible factors in Qp[X]of the minimal polynomial of a primitive element of K.

Now, it is not too hard to see that the ramification index of the extensionKPi

/Qp is precisely ei. In particular KPi/Qp is nonramified if and only if Pi/p

does not ramify in K/Q. So studying extensions of Qp allows us to isolate theramification at a particular prime; this will be important when we study the ex-tensions of Q arising from torsion points.

Example: Let p be a prime congruent to 3 or 5 mod 8. Then 2 is not a squaremodulo p, so it is not a square in Qp and the extension Qp(

√2)/Q is of degree

2. It is nonramified, since if we had 2OL = P2L, then 2 would have to ramify in

the extension of number fields Q(√

2)/Q, which it does not. On the other hand,Qp(√p) is a ramified extension of ramification index 2.

9.3.1 Classification of unramified extensions

Now, we shall prove a theorem which explicitly classifies the possible nonrami-fied extensions of Qp.

Theorem 9.4. There is a bijection

{finite nonramified extensions K/Qp} ←→ {finite extensions k/Fp}K ←→ k = residue field of K

34

Moreover, this is inclusion-preserving (so K ⊂ K ′ ⇐⇒ k ⊂ k′); and all the nonrami-fied extensions are Galois over Qp.

Proof. We first show that the map sending an nonramified extension to its residuefield is surjective.

Let k/Fp be a finite extension; then by the primitive element theorem, k = Fp(a)some a. Suppose f(X) ∈ Zp[X] is any lifting of the minimal polynomial f(X) ∈Fp[X] for a. Then by Hensel’s lemma applied to the local field Qp, whose residuefield is the algebraic closure Fp, there is a unique α ∈ Qp such that α = a mod P ,where P is the maximal ideal of the ring of integers of Qp. Then the residuefield of Qp(α) is clearly Fp(a) = k; and since f is irreducible in Fp[X], Qp(α)/Q isnonramified.

Now, suppose K1 and K2 are nonramified extensions of Qp with isomorphicresidue fields. Then K1K2 is an nonramified extension of Qp, and its residue fieldis still k. But since [K1K2 : Qp] = [k : Fp] = [K1 : Qp], we must have K1 ⊃ K2, andsimilarly K2 ⊃ K1, so K1 and K2 are isomorphic.

It is clear that this map is a lattice isomorphism, so it remains to prove thestatement that nonramified extensions of Qp are Galois. However, it is knownthat finite extensions of Fp are always Galois; so given K/Qp, we know that itsresidue field k is Galois. Let’s write K = Qp(α) where α has minimal polynomialf . Now f ∈ Fp(X) must split completely in k, since k is Galois; but each of theroots in k must lift to a root in K, by Hensel’s lemma. So f splits completely inK, and K/Qp is Galois.

Remark. It’s easily shown that if L1 and L2 are nonramified extensions of Qp, thenthe composite L1L2 is nonramified; hence the union of all nonramified extensionsof Qp is a field, denoted by Qnr

p – the maximal nonramified extension of Qp. Thisis then a local field and its residue field is the full algebraic closure Fp.

35

Lecture 10

Introduction to formal groups

James Cranch18 / 02 / 2005

10.0 Motivation (non-examinable)

In an attempt to understand the group structure on an elliptic curve, we mightbe tempted to treat it analogously to a Lie group, and thus attempt to form its Liealgebra.

While modern algebraic geometry permits us to make this construction, the re-sults are disappointing. Indeed, since the group law of an elliptic curve is abelian,we only get a trivial Lie algebra.

On the other hand, there is another natural local construction we can makein algebraic geometry: given an elliptic curve E over a field K we can take thelocal ring at the identity OE,0. In general, local rings contain much more detailedinformation about an object than tangent spaces.

Thus it is desirable to try to model the group structure within the local ring.This lecture develops some machinery which will be necessary to interpret theresult; next lecture sees us apply these techniques to elliptic curves.

10.1 Complete rings, local rings and Hensel’s lemma

Here are the basic definitions:

Definition 10.1. If R is a noetherian integral domain, and I an ideal, we define a norm

|x|I = exp(−max{n|x ∈ In}).

We then define the completion of R with respect to I to be the completion with respectto this norm.

A ring is local if it has only one maximal ideal.If R is local, andM is its maximal ideal, we denote its completion with respect to this

norm by R; this is also local with maximal idealM · R.

And here are some important examples:

36

• All fields are local rings (with maximal ideal (0)). Warning: Do not confuselocal rings with local fields.

• If R is an integral domain, and P a prime ideal then the localisation

RP = {r/s ∈ Frac(R) : r ∈ R, s /∈ P}

is a local ring with maximal ideal PRP ⊂ RP .

• As a particular case of the above, the localisation Z(p) can be completed toform the p-adic ring Zp.

• The ring F [X], for F a field, is local with maximal ideal XF [X]. Its comple-tion is the formal power series ring F [[X]].

Armed with this, we can state the major technical tool in this area:

Theorem 10.2. (“Hensel’s Lemma”) Let R be a ring which is complete with respect tosome ideal I. Suppose that F (X) ∈ R[X], a ∈ R and n ≥ 1 are such that F (a) ∈ Inand F ′(a) ∈ R×. Then, if α ≡ F ′(a) (mod I) then the sequence

w0 = a, wm+1 = wm − F (wm)/α

converges to an element b ∈ R such that F (b) = 0 and b ≡ a (mod In). Furthermore, ifR is an integral domain, then b is uniquely determined.

Proof. Omitted (see Silverman, IV.1.2).

10.2 Formal groups

We start with the definition:

Definition 10.3. Let R be a ring. A one-parameter commutative formal group law(F , F ), (hereafter simply a formal group law, or FGL), is a power series F (X, Y ) ∈R[[X, Y ]] such that:

• F (X, 0) = X ,

• F (X, Y ) = F (Y,X), and

• F (X,F (Y, Z)) = F (F (X, Y ), Z).

Here is a proposition gathering two immediate further “grouplike” propertiesof these things:

Proposition 10.4. If (F , F ) is a formal group law, then:

1. F (X, Y ) = X + Y + higher order terms, and

2. There is a power series i(X) ∈ R[[X]] such that F (X, i(X)) = 0.

Proof. (Sketch) Part 1 is immediate from the first two conditions. For part 2, buildi(X) term-by-term.

Now, here are a couple of simple examples of these things:

37

• The additive formal group law, denoted Ga, is given by F (X, Y ) = X + Y .The inverse is given by i(X) = −X .

• The multiplicative formal group law, denoted Gm, is given by F (X, Y ) = X +Y +XY . The inverse is given by i(X) = −X ·(1+X)−1 = −X+X2−X3+· · · .

Definition 10.5. Suppose (F , F ) and (G, G) are formal group laws defined over a ringR. A homomorphism f between F and G is a power series f ∈ R[[X]] such thatf(F (X, Y )) = G(f(X), f(Y )).

The classic example of a homomorphism is the “multiplication-by-n” endo-morphism [n] of a formal group. This is analogous to the multiplication-by-nendomorphism of an ordinary group.

It is defined in the natural way as:

[0] (X) = 0

[n+ 1] (X) = F ([n] (X), X)

[n− 1] (X) = F ([n] (T ), i(X))

and thus eg. [1] (X) = X

[2] (X) = F (X,X)

[3] (X) = F (F (X,X), X)

[−1] (X) = i(X)

[−2] (X) = F (i(X), i(X))

10.3 Groups from formal groups

A formal group is just a power series with pleasant properties. It is well-knownthat power series in general need not converge as functions. However, if (F , F ) isa formal group defined over a complete local ring R with maximal idealM, thenF does define an honest group onM:

Proposition 10.6. The operations x +F y = F (x, y) (for x, y ∈ M) and −Fx = i(x)(for x ∈M) define a group structure onM.

Proof. If we take successive partial sums of either of these series, we get a Cauchysequence. This is because, for all n, differences between partial sums are eventu-ally withinMn and thus tend to 0 by definition of the norm on R.

Moreover, the limit is inM, by comments made earlier.

Definition 10.7. We call this group the associated group ofF , and denote it byF(M).

Observe also thatMn form subgroups for all n.Here’s some examples:

• The associated group of Ga is M under addition. Thus, letting k be the“residue field” R/M, there is an exact sequence

0→ Ga(M)→ R→ k → 0.

38

• The associated group of Gm is (after translating up by 1) 1 +M under mul-tiplication. So there is another exact sequence

0→ Gm(M)→ R× → k× → 0.

39

Lecture 11

Formal groups continued

James Cranch21 / 02 / 2005

11.1 The Formal Group Law of an Elliptic Curve

Now we examine the local group structure of an elliptic curveE near the identity.It would be clumsy to attempt this without having the identity in full view, so wemake a change of coordinates:

z = −xy, w = −1

y; ie. (X : Y : Z) 7→ (−X : −Z : Y )

Now, if we look at the affine piece with coordinates z, w, we find the identity isat the origin. Furthermore, the generalised Weierstrass equation for E becomes:

w = z3 + (a1z + a2z2)w + (a3 + a4z)w

2 + a6w3 = f(z, w).

It is immediate from this to calculate that the tangent to the curve at the originis w = 0: this makes us believe that near the origin a point is uniquely determinedby z.

Indeed, we can write w as a formal power series in terms of z by using theformula above, and repeatedly substituting f(z, w) for w:

w = f(z, w)

= z3 + (a1z + a2z2)w + (a3 + a4z)w

2 + a6w3

= z3 + (a1z + a2z2)f(z, w) + (a3 + a4z)f(z, w)2 + a6f(z, w)3

= z3 + (a1z + a2z2)(z3 + (a1z + a2z

2)w + (a3 + a4z)w2 + a6w

3)

+ (a3 + a4z)(z3 + (a1z + a2z

2)w + (a3 + a4z)w2 + a6w

3)2

+ a6(z3 + (a1z + a2z

2)w + (a3 + a4z)w2 + a6w

3)3

= · · ·

Proposition 11.1. This process converges to give a power seriesw(z), satisfying f(z, w(z)) =w(z).

40

Proof. This is Hensel’s lemma, applied to the ring R = Z[a1, . . . , a6][[z]], which iscomplete with respect to the idealRz. For the polynomial F (w) we use f(z, w)−w,and we take a = 0, α = −1.

Indeed, we can compute the first few terms, using that every w contributes noz terms with a power less than three. Plugging in a bit we get

w(z) = z3 + a1z4 + (a2

1 + a2)z5 + (a1z

3 + 2a1a2 + a3)z6 + · · · .

In general we will write:

w(z) = z3(1 + A1z + A2z2 + · · · ).

Now we have a one-variable parametrisation near the identity of an ellipticcurve, it is just a matter of algebraic manipulation to derive the formal group lawF . It is important to see how this is done, and so we shall see an algorithm.

We let z1, z2 symbolise variables for our parametrisation, and – writing w1 =w(z1), w2 = w(z2) – we see that (z1, w1), (z2, w2) will symbolise indeterminatepoints on the curve.

To take the sum of these points, we would construct the line through them. Todo this we would calculate the slope

λ =w2 − w1

z2 − z1

=∞∑n=3

An−3zn2 − zn1z2 − z1

,

and by factorising the terms on the right, we see this lies in Z[a1, . . . , a6][[z1, z2]].We also let c = w1 − λz1, so that the line through them has equation

w = λz + c.

Substituting this into the transformed generalised Weierstrass equation we ob-tained earlier for w in terms of w and z gives a cubic in z:

(λz + c) = z3 + (a1z + a2z2)(λz + c) + (a3 + a4z)(λz + c)2 + a6(λz + c)3.

The three solutions (of which we know two already), representing the threepoints on the line, have z-coordinates whose sum is the z2 term of the cubic di-vided by the z3 term, so the inverse of the sum of z1 and z2 is given by

i(F (z1, z2)) =a1λ+ a2c+ a3λ

2 + 2a4λc+ 3a6λ2c

1 + a2λ+ a4λ2 + a6λ3− z1 − z2.

(Beware: I believe there is an error in Silverman’s book here!)This also lies in Z[a1, . . . , a6][[z1, z2]] (this depends on the fact that λ has no

constant term: we can expand the reciprocal of the denominator as a power seriesin z1, z2.)

But now we’re done: we can iterate this construction to get

F (z1, z2) = −i(F (i(F (z1, z2)), 0)).

So at last we have that:

Proposition 11.2. This gives a formal group law F .Proof. Clear from the construction.

Following this calculation through, we get that the first few terms are

F (z1, z2) = z1 + z2 − a1z1z2 − a2(z21z2 + z1z

22)− · · · .

41

11.2 Elliptic curves over the p-adics

In this section, we let E be an elliptic curve over Qp, specified by a generalisedWeierstrass equation with coefficients a1, . . . , a6 in Zp ⊂ Qp.

Examples of such things can be obtained, of course, by taking an elliptic curveover Q with coefficients in Z and performing a base change by the embeddingQ ⊂ Qp.

The operations done above use only integer operations, so we get a formalgroup law F for E over Zp by the recipe above. The associated group structure isdefined on pZp and is denoted E(pZp). It is a p-adic Lie group.

The remainder of this lecture and the next is devoted to analysing the struc-ture.

We start with a lemma:

Lemma 11.3. Let (x0, y0) ∈ E(Qp), and let z0 = −x0/y0. The following are equivalent:

1. ordp(x0) < 0

2. ordp(y0) < 0

3. ordp(z0) > 0, ie. z0 ∈ pZp.

Proof. We’ll demonstrate that (1) implies (2) and (3) and then that each of (2) and(3) imply (1).

• (1) ⇒ (2), (3): Consider the generalised Weierstrass equation for E in theform:

y2 + a1xy + a3y = x3 + a2x2 + a4x (a1, . . . , a6 ∈ Zp)

If −r = ordp(x0) then the right-hand-side has valuation −3r, and if −s =ordp(y0) then the left-hand-side has valuation −2s. The equality of these val-uations says 2r = 3s, so there is a d > 0 such that r = 2d, s = 3d. Thusordp(z0) = ordp(x0)− ordp(y0) > 0.

• (2)⇒ (3): Immediate from argument above.

• (3)⇒ (1): The inverse of our earlier coordinate change is x = z/w. We havea power series for w in terms of z:

w = z3(1 + A1z + a2z2 + · · · )

and so we can express x in terms of z as

x =1

z2

(1− (A1z + A2z

2 + · · · ) + (A1z + A2z2 + · · · )− · · ·

).

We evaluate at z = z0 to conclude.

Corollary 11.4. Let E1(Qp) be defined by

E1(Qp) = {0} ∪ {(x0, y0) ∈ E(Qp)| ordp(x0) < 0, ordp(y0) < 0}.

It is a subgroup of E(Qp).

42

Proof. Need only to show that it is closed under addition. Pick two points (x1, y1), (x2, y2) ∈E1(Qp). We may pass from (xi, yi) to zi = −xi/yi, which by the lemma is in pZp.Our results on the formal group law show that F (z1, z2) ∈ pZp. By applying thelemma again, we conclude that (x1, y1)⊕ (x2, y2) ∈ E1(Qp).

Finally, we get our promised interpretation of the p-adic formal group law:

Corollary 11.5. The map (x0, y0) 7→ −x0/y0 = z0 defines an isomorphism of groups

E1(Qp) ∼= E(pZp).

43

Lecture 12

Points of finite order

Vladimir Dokchitser23 / 02 / 2005

(Notes taken by James Cranch)

12.0 Motivation

We have proved the Mordell-Weil theorem in the case of an elliptic curve with apoint of order 2, which says that E(Q) is a finitely generated abelian group. It canthus be written as E(Q) = ∆× Zg, where ∆ is finite.

Zacky’s lectures discussed how to find g, the Mordell-Weil rank of the ellipticcurve. We are developing machinery now to find ∆.

To determine this, we will find it useful to pass to Qp. David Geraghty’s lecture3 provided some evidence that the structure of elliptic curves over complete fieldsis rich. Thus, now, E is an elliptic curve given by

E : y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6 (ai ∈ Zp).

Last lecture, we introduced the subgroup E1(Qp) of E(Qp) defined by

E1(Qp) = {(x, y) ∈ E(Qp)| ordp(x0), ordp(y0) < 0},

in other words, it is a subgroup of points of E(Qp) that are p-adically close toinfinity.

We also saw last time that it is isomorphic to E(pZp), the group associated tothe formal group on the elliptic curve. This is just pZp, but with a funny additionlaw +E given by x+E y = F (x, y) where F is a power series in Zp[[X, Y ]]:

F (X, Y ) = X + Y − a1XY − a2(X2Y +XY 2) + higher order terms.

Of course E(Qp) is uncountable, so we can’t expect to exhibit a finite presenta-tion for it, or anything like that. We must be more subtle.

Recall that, associated to our other examples of formal group laws, the additiveand multiplicative formal group laws, we had the following exact sequences:

0→ Ga(pZp) ∼= pZp → Zp → Fp → 0, and 0→ Gm(pZp) ∼= (1+pZp)× → Z×p → F×p → 0.

These can be interpreted as exact sequences characterising elements that areclose to the identity in each of these formal groups.

44

Analogously, in good conditions, we will end up with the exact sequence

0→ E1(Qp) ∼= E(pZp)→ E(Qp)→ E(Fp)→ 0,

where E is some elliptic curve over Fp. This will be unraveled over the next twolectures.

12.1 Points of finite order on E(pZp).

Recall the multiplication-by-m map [m] : E(pZp) → E(pZp). This is given by apower series [m](X) = mX +O(X2).

We will start with

Lemma 12.1. If (m, p) = 1 then [m] : E(pZp)→ E(pZp) is injective.

Proof. This is clear, since ordp([m]x) = ordp(x).

In many cases, we can get a lot more than that.

Lemma 12.2. If f(X) = aX +O(X2) is a power series in Zp[[X]] and a ∈ Z×p is a unit,then there is a power series g(X) ∈ Zp[[X]] such that f(g(X)) = X .

Proof. Set g1(X) = a−1X . Note that f(g(X)) = X + O(X2). Having defined gn−1,we inductively define

gn(X) = gn−1(X) + λnXn,

for some λn yet to be chosen. We want that:

f(gn(X)) = X +O(Xn+1).

This determines the value of λn we choose thus:

f(gn(X)) = f(gn−1(X) + λnXn)

≡ f(gn−1(X)) + aλnXn (mod Xn+1)

≡ X + bXn−1 + aλnXn (mod Xn+1),

for some b, so we take λn = −b/a.Set g(X) = lim gn(X), observing that the limit exists, and note that f(g(X)) =

X .

Remark. Since it has a right inverse, this proves that f is surjective as a map onpower series. As g is of the same form, it too is surjective.

Hence g(f(X)) = X ; and so g and f are mutually inverse isomorphisms, andthus in particular g is unique.

Corollary 12.3. If (m, p) = 1, then [m] : E(pZp) → E(pZp) is surjective, and thus anisomorphism (since we showed it injective earlier).

Remark. This shows that E(pZp) has no m-torsion for (m, p) = 1, and that everyelement is uniquely m-divisible.Remark. The above proof works over any local field, and the condition becomesthat m must be coprime to the residue characteristic.

45

Now, we present the key theorem of this lecture:

Theorem 12.4. Suppose E/Qp is an elliptic curve, given by

E : y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6 (ai ∈ Zp).

If p = 2, suppose also that 2|a1.Then E1(Qp) ∼= E(pZp) has no elements of order p.

Remark. This is false over more arbitrary local fields, such as algebraic extensionsof Qp.

Proof. Make a change of variables:

y′ = y +a1

2x, x′ = x.

This is, of course, where we use the assumption when p = 2.We get

E ′ : y′2 + a′3y′ = x′3 + a′2x

′2 + a′4x′ + a′6,

and E1(Qp) is taken isomorphically to E ′1(Qp).

Thus we may suppress the awful prime notation, and just assume that a1 = 0.We recall the first few terms of the formal group law

F (X, Y ) = X + Y − a1XY − a2(X2Y +XY 2) + · · ·

and note that the XY term vanishes.Now, if x, y ∈ pnZp then

x+E y = F (x, y) ≡ x+ y (mod p3nZp)

By repeated application of this, if x ∈ pnZp, then

[p](x) ≡ px (mod p3nZp).

and thus if x 6= 0, and ordp(x) = n then ordp([p](x)) = n+1 and thus [p](x) 6= 0.

Corollary 12.5. If E/Q is an elliptic curve, with coefficients ai in Z, and 2|a1, thenE1(Qp) has no points of finite order for any p. In particular, then, any point of finiteorder on E(Q) has integer coordinates.

Remark. The theorem is also true over any unramified extension of Qp, for thesame reasons, but is dramatically false otherwise.

Remark. It is possible to prove that [p] : E(pZp) → E(pZp) can be expressed as[p](X) = pf(X) + g(Xp) for f, g ∈ Zp[[X]], or equivalently that

d

dX[p](X) ≡ 0 (mod p).

46

Lecture 13

Minimal Weierstrass Equations

Mahesh Kakde25 / 02 / 2005

Let E be an elliptic curve over Q given by the Generalised Weierstrass Equa-tion (GWE)

E : y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6.

Under the change of variables x = u2x′ and y = u3y′, the coefficients get changedas follows:

uia′i = ai for i = 1, 2, 3, 4, 6.

Hence E can be defined by a GWE over Z. The advantage of having a GWEover Z is that we can reduce the coefficients mod some prime p and obtain a GWEover the finite field Fp. Reducing mod p is a subtle business since it depends onthe choice of the equation defining the given curve E: two equations with coeffi-cients in Z may define curves which are isomorphic over Q but whose reductionsmod p are not isomorphic as curves over Fp.

Example: Consider E : y2 = x3− 432. The discriminant ∆(E) = −21239. So theplane cubic curve E2 : y2 = x3 obtained by reducing mod 2 has discriminant 0 inF2 and hence is singular. However after making the change of variables x = 4x′

and y = 8y′−4 we get an isomorphic curveE ′ : y′2−y′ = x′3−7 with discriminant∆(E ′) = −39. Hence its reduction mod 2 gives a nonsingular plane cubic curve.

The problem here is that the first equation defining E is not a “Minimal Weier-strass Equation” at 2.

Definition 13.1. Let E/Qp be an elliptic curve. A GWE defining E is said to be a Min-imal Weierstrass Equation (MWE) at p if ordp(∆) is minimum among all the GWE’sdefining E subject to the condition that all the coefficients are in Zp. If ∆ is the dis-criminant of a minimal Weierstrass equation then ordp(∆) is the valuation of minimaldiscriminant.

Remark: The existence of a MWE is obvious. And we have the followinguniqueness theorem.

Theorem 13.2. A MWE is unique up to the following change of variables: x = u2x′+rand y = u3y′ + u2sx′ + t, where u ∈ Z×p , r, s, t ∈ Zp.

47

Proof. : Since ∆ = u12∆′ and ordp(∆) = ordp(∆′), u ∈ Z×p . Transformation for b6

and b8 gives that 4r3 and 3r4 are in Zp. Hence r is in Zp. Now Transformation fora2 gives s ∈ Zp and transformation for a6 gives t ∈ Zp.

Hence the curve obtained obtained by reducing the coefficients of a MWE isunique up to the standard change of variables over Fp (i.e. x = u2x′ + r andy = u3y′ + u2sx′ + t).

13.1 Criteria for minimality

For the standard change of variables ∆ = u12∆′, i.e. valuation of the discriminantchanges by multiples of 12. Similarly it can be checked that valuation of c4 and c6change by multiples of 4 and 6 respectively.

Proposition 13.3. A GWE defining E/Qp with coefficients in Zp is minimal if either ofthe following two conditions holds:

1. ordp(∆) < 12

2. ordp(c4) < 4 (which one easily checks is equivalent to ordp(c6) < 6).

Proof. Clear from above discussion.

Remark. If p 6= 2, 3 then it is an easy exercise to check that the converse is true. Ifp = 2 then the following example shows that the converse need not be true (if Idid not make any mistake): y2 = x3 + 3x2 − 16x.

Thus we can canonically reduce an elliptic curveE/Qp to a cubic curve over Epdefined over Fp (I will drop the subscript pwhenever there is no ambiguity, whichusually arises when we are considering E/Q as an elliptic curves over Qp forvarious p’s and then reducing them mod p). This curve need not be nonsingularin general. If it is then we say that E has a good reduction at p. Else we say thatE has bad reduction at p. Clearly E has good reduction at p if and only if thevaluation of minimal discriminant is 0.

13.2 Reduction mod p on points

Let ∼ denote the natural surjection Zp → Fp. We define the reduction mod p mapP2(Qp) → P2(Fp) as follows. Take a point (X : Y : Z) in P2(Qp) and scale it sothat all the coordinates are in Zp and at least one of them is in Z×p . Then map(X : Y : Z) to (X : Y : Z). This gives a well defined map, again denoted by ∼,from P2(Qp)→ P2(Fp).

Let E/Qp be an elliptic curve defined by the MWE y2 +a1xy+a3y = x3 +a2x2 +

a4x+a6 and let E be the curve obtained by reduction mod p given by the equationy2 + a1xy + a2y = x3 + a2x

2 + a4x+ a6. Clearly, ∼: P 2(Qp)→ P2(Fp) maps E(Qp)

into E(Fp).Let E have good reduction at p. Hence E is an elliptic curve over Fp. Recall,

48

E1(Qp) = {P = (x, y) ∈ E(Qp) : ordp(x) < 0} ∪ {O}= {P = (x, y) ∈ E(Qp) : ordp(y) < 0} ∪ {O}= {P = (x, y) ∈ E(Qp) : ordp(x/y) > 0} ∪ {O}.

Hence E1(Qp) = {P ∈ E(Qp) : P = O}, where O is the identity of E(Fp).

Proposition 13.4. Let E/Qp be an elliptic curve with good reduction at p. Then we getthe following short exact sequence of abelian groups:

0→ E1(Qp) −→ E(Qp) −→ E(Fp)→ 0

where the map on the right is the reduction mod p map ∼.

Proof. Since ∼: P2(Qp) → P2(Fp) takes lines to lines the map on the right is agroup homomorphism. Now the map on the left is just the kernel of this homo-morphism. So it only remains to prove that ∼ is surjective. Let f(x, y) be thedifference of the two sides of the MWE defining E. Then

((∂/∂x)f(α, β), (∂/∂y)f(α, β)) 6= 0

for any (α, β) such that f(α, β) = 0. Suppose (∂/∂x)f(α, β) 6= 0; then chooseany y0 ∈ Zp such that y0 = β and solve the equation f(x, y0) = 0 using Hensel’sLemma. The case where ∂f/∂y 6= 0 is similar.

Application Let E/Qp have good reduction at p. Recall that E1(Qp) ∼= E(pZp)

and E(pZp) does not have any torsion points (if p = 2, then under the hypothesisthat a1 ∈ 2Z2). Hence (under the same hypothesis) E1(Qp) does not have anytorsion points. So we conclude from the from the short exact sequence in theproposition that torsion subgroup ∆(E) of E(Qp) injects in E(Fp). This gives aquick method for finding the torsion subgroup of elliptic curves defined over Q(which we know by Mordell-Weil to be finite).

Examples

1. E : y2 + y = x3 − x+ 1. Discriminant ∆ = −13.47. So the equation is a MWEand E has good reduction at 2. One can check by hand that E(F2) is trivial.Since a1 = 0, we conclude that the torsion subgroup of E(Q) is trivial.

2. E : y2 = x3 + 3. Its discriminant is ∆ = −3524. So the equation is a MWE. Ehas good reduction at all p ≥ 5 and |E(F5)| = 6 and |E(F7)| = 13. Hence thetorsion subgroup of E(Q) is trivial.

3. Sometimes we need to find the structure of the group E(Fp) – just knowingthe order is not enough. Consider E : y2 = x3 + x . It has discriminant∆ = −64. (0, 0) ∈ E(Q) is a point of order 2. E(F3) ∼= Z/4Z, while E(F5) ∼=(Z/2Z)2, hence the torsion subgroup of E(Q) is Z/2Z. (Exercise: 4 dividesthe order of E(Fp) for all p ≥ 3).

49

Lecture 14

Reduction mod p II and torsionpoints over algebraic extensions

David Loeffler28 / 02 / 2005

We shall now change tack slightly; having seen how to determine them-torsionpoints over Q, we shall now consider the effect of extending the base field by ad-joining points of finite order in the quotient E(Q)/E(Q).

Recall from lecture 9 that the maximal unramified extension of Qp is denotedby Qnr

p . We shall also occasionally use the notation Q(R), where R ∈ E(Q), tomean the field generated over Q by the coordinates of R. For A an abelian group,Am is the m-torsion subgroup (the kernel of multiplication by m)

We shall initially consider this problem locally, before passing to the globalcase.

Theorem 14.1. Let E/Qp be an elliptic curve with good reduction at p, and m ∈ N with(m, p) = 1.

1. There are isomorphisms

E(Qp)m∼−−−→ Ep(Fp)m

E(Qp)

mE(Qp)

∼−−−→ Ep(Fp)mEp(Fp)

2. If R ∈ E(Qp) is such that mR ∈ E(Qp), then Qp(R)/Qp is unramified.

3. The group E(Qnrp ) is m-divisible, and contains E(Qp)m.

Proof.

(1) Recall that the group E1(Qp) which is the kernel of the reduction-mod-pmap is torsion-free and m-divisible. A very tidy proof can be obtained by usingthe Snake Lemma on the diagram obtained by applying the map [m] to everyterm of the exact sequence 0→ E1(Qp)→ E(Qp)→ Ep(Fp)→ 0. However, usingsomething as powerful as the Snake Lemma here is rather unsporting, so we shallprove the result directly.

50

Let α and β be the maps on the two groups mentioned, arising from reductionmod p on points; it is clear that both are well-defined, since the reduction of anm-torsion point is certainly an m-torsion point.

In the first case, α is clearly injective since E1 is torsion-free. But if P is apoint of Ep(Fp)m, arising as the reduction of some P ∈ E(Qp), then we must havemP ∈ E1. As E1 is m-divisible, we can write mP = mT for some T ∈ E1; henceP − T ∈ E(Qp)m. But α(P − T ) = P − T = P , so α is surjective.

In the second case it is the surjectivity that is obvious; so we must prove theinjectivity. Let P be a point such that P ∈ mEp(Fp); we must show P ∈ mE(Qp).However, if P = mQ, then P − mQ ∈ E1, so as before P − mQ = mT andP = m(Q+ T ) ∈ mE(Qp) as required.

(3) (We shall prove this first, then deduce 2.) In the above result, we mayfreely replace Qp and Fp by any finite unramified extension and its residue field;passing to the inductive limit over all such fields, we obtain

E(Qnrp )m

∼−−−→ Ep(Fp)mE(Qnr

p )

mE(Qnrp )

∼−−−→ Ep(Fp)mEp(Fp)

However, we can identify both of these groups. It will follow from our studyof isogenies in the next lecture that the map [m] is a non-constant separable mor-phism of degree m2 on the irreducible curve Ep over the algebraically closed fieldFp; so by the Finiteness Theorem of algebraic geometry, it is surjective (the secondgroup is trivial) and the first group (its kernel) has order m2. But there cannot bemore than m2 points in E(Qp)m, so E(Qp)m = E(Qnr

p )m.

(2) By part (3) we know that there is some R′ ∈ E(Qnrp ) such that mR′ = P ,

since E(Qnrp ) is an m-divisible group. However, we then have m(R′ − R) = 0, so

S = R − R′ ∈ E(Qp)m; from the second part of (3), S ∈ E(Qnrp ), so R = R′ + S ∈

E(Qnrp ).

Now, we return to the case of number fields. Suppose R ∈ E(Q) is an m-division point – that is, mR ∈ E(Q). The remarks on algebraic extensions of Qp

in lecture 9 imply:

Corollary 14.2. Let S be the set of primes where E has bad reduction. Then the fieldextension Q(R)/Q is unramified except in S and at the primes dividing m.

This is a fairly stringent condition to place on the extension Q(R)/Q. We alsohave another condition, and the two between them are sufficient to pin down thefield Q(R) to one of a finite set of extensions.

Lemma 14.3. [Q(R) : Q] ≤ m2.

Proof. Suppose P = mR ∈ E(Q). Then there are at most m2 points R′ suchthat mR′ = P , since the difference between any two is an m-torsion point, and|E(Q)m| = m2 (either by the algebraic-geometry methods above, or by identify-ing E with the quotient of C with a certain lattice). However, any embedding

51

σ : Q(R) ↪→ Q must map R to one of these m2 points, and it is determined bythe image of R. Since there are exactly [Q(R) : Q] such embeddings, the resultfollows.

Theorem 14.4 (Hermite). For any finite set T of primes and any n ∈ N, there are onlyfinitely many extensions of Q which are unramified outside T and have degree at most n.

We now consider the extension obtained by adjoining all m-division points.

Corollary 14.5. Let L = Q[{R ∈ E(Q) : mR ∈ E(Q)

}]. Then L is a finite extension

of Q, unramified outside S and the primes dividing m.

Proof. The only statement requiring proof is that [L : Q] is finite; but the previoustwo results imply that every m-division point is defined over one of a finite set ofextensions, so we may take L to be their composite, which is therefore finite.

Remark. This result is immediate from Mordell-Weil, without using Hermite’s re-sult, since we need only use a finite set of points (the m-torsion points and onem-division point of each of some finite set of generators); but we will in fact usethis result in proving the general case of Mordell-Weil.

52

Lecture 15

Isogenies

Bjarki Holm02 / 03 / 2005

(Notes taken by James Cranch)

15.1 Introduction

We begin with the key definition.

Definition 15.1. Let K be algebraically closed and perfect1. Let E1 and E2 be ellipticcurves overK, with base points 01 and 02. An isogeny betweenE1 andE2 is a morphism

φ : E1 −→ E2

of varieties such that φ(01) = 02. We say that E1 and E2 are isogenous if there exists anisogeny between them with φ(E1) 6= {02}.

Note that any rational map E1 −→ E2 is a morphism.If L is a subfield of K and E1 and E2 are defined over L, then a morphism φ is

defined over L if it is given by homogeneous polynomials with coefficients on L.

Definition 15.2. The coordinate ring of an elliptic curve over K is given by

K[E] = K[X, Y ]/(y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6).

The function field is defined to be the field of fractions of K[E]:

K(E) = FracK[E].

Remark. Giving an isogeny φ : E1 → E2 is equivalent to giving an element ofE2(K(E1)).

15.2 Isogenies are surjective

Proposition 15.3. LetK be algebraically closed and perfect, and letE1 andE2 be definedoverK, with φ : E1 → E2 a non-constant isogeny. Then φ(E1(K)) = E2(K), or in otherwords φ is surjective.

1A field is perfect if all its finite extensions are separable, or equivalently if it has characteristic 0 or has characteristic pand contains the p-th powers of every element.

53

Proof. This follows immediately from the general statement, from elementary al-gebraic geometry, that a morphism φ : C1 → C2 of curves is either constant orsurjective.

Now let φ : E1 → E2 be a non-constant isogeny defined over K. Then compo-sition with φ induces an injection of function fields:

φ∗K(E2) −→ K(E1)

f 7−→ f ◦ φ

Since K(E1) ⊆ φ∗(K(E2)) and both K(E1) and K(E2) have transcendence de-gree 1 over K, and are finitely generated extensions of K, we get that K(E1) is afinite algebraic extension of φ∗(K(E2)); in symbols, [K(E1) : φ∗(K(E2))] <∞.

Definition 15.4. We say that φ is separable if the extension K(E1)/φ∗(K(E2)) is sep-

arable, and we denote the degrees by:

deg(φ) = [K(E1) : φ∗(K(E2))], the degree;degs(φ) = [K(E1) : φ∗(K(E2))]s, the separable degree;degi(φ) = [K(E1) : φ∗(K(E2))]i, the inseparable degree;

In the above, the separable degree [L : K]s of a field extension L/K is thedegree [K ′ : K] of the maximal subfield K ′ of L that is separable over K. With thesame notation, the inseparable degree [L : K]i is the degree [L : K ′].

15.3 Isogenies are group homomorphisms

Since we have established group laws for elliptic curves, we might suspect thatisogenies are in fact group homomorphisms.

Theorem 15.5. An isogeny φ : E1 → E2 is a group homomorphism, ie. φ(P ⊕ Q) =φ(P )⊕ φ(Q).

Proof. This is obvious if φ is the constant map: φ(E1) = 02. Thus we assumeφ is non-constant, and thus a finite map. We now introduce some tools fromelementary algebraic geometry.

Definition 15.6. A finite formal linear combination of points D =∑

P∈E nP (P ) on acurve E is called a divisor. If D has the form D = div(f) =

∑P∈E ordP (f)(P ) for

some f ∈ K(E)×, then it is said to be principal.We set the degree to be deg(D) =

∑P∈E nP , and let Div0(E) be the group of divisors

of degree zero under pointwise addition. Note that a principal divisor always has degreezero.

The (reduced) Picard group or divisor class group is then defined to be the quotientof Div0(E) by the subgroup of principal divisors.

We now state without proof a few standard results from algebraic geometry:

1. φ induces a homomorphism

φ∗ : Pic0(E1) −→ Pic0(E2)

by sending the divisor∑

P∈E1nP (P ) to

∑P∈E1

nP (φ(P )).

54

2. We have group isomorphisms

κi : Ei −→ Pic0(E1)

P 7−→ class of (P )− (Oi)

for i = 1, 2.

Now, since φ(01) = 02, we get a commutative diagram:

E1∼−−−→κ1

Pic0(E1)

φ

y yφ∗E2

∼−−−→κ2

Pic0(E2)

Since κ1, κ−12 and φ∗ are group homomorphisms, we may read off at once that

φ is too.

Remark. Analogous to the fundamental exact sequence from class field theory isthe exact sequence

0 −→ K× −→ K(E)× −→ Div0(E) −→ Pic0(E) −→ 0.

15.4 Isogenies have finite kernels

The following is a fact from algebraic geometry: if φ : E1 → E2 is a non-constantrational map, then for every Q ∈ E2(K), the cardinality of φ−1(Q) is finite, andfor all but finitely many Q ∈ E2(K), we have #(φ−1(Q)) = degs(φ).

Lemma 15.7. If φ : E1 → E2 is a non-constant isogeny over an algebraically closed fieldK, then #(φ−1(Q)) = degs(φ) for all Q ∈ E2(K).

Proof. From above, #(φ−1(Q)) = degs(φ) for almost allQ ∈ E2. But for anyQ,Q′ ∈E2, if we choose some R ∈ E1 with φ(R) = Q′ − Q, then the fact that φ is ahomomorphism implies a one-to-one correspondence:

φ−1(Q) ←→ φ−1(Q′)

P 7−→ P ⊕R.

Thus #(φ−1(Q)) is the same for all Q ∈ E2, and the result follows.

Corollary 15.8. This implies ker(φ) is finite, and has order degs(φ).

15.5 Quotients of elliptic curves

Proposition 15.9. Let E be an elliptic curve and let Φ be a finite subgroup of E. Thenthere is a unique elliptic curve E ′ = E/Φ and a separable isogeny φ : E → E ′, such thatker(φ) = Φ.

Proof. Omitted.

55

Remark. Suppose that E is defined over some subfield L of K; let K be the sep-arable closure of L in K. If φ is Gal(K/L)-invariant (ie. for all P ∈ Φ and allσ ∈ Gal(K/L), σP ∈ Φ). Then we can find E ′ and φ as above, defined over L (seeSilverman, p.79). Moreover, the points of E ′ are set-theoretically the quotient ofthose of E by φ.

15.6 Complex multiplication

Definition 15.10. If E1 and E2 are two elliptic curves, then we define the group ofisogenies to be

Hom(E1, E2) = {isogenies E1 → E2}.It is a group under pointwise addition.

If E is an elliptic curve, we define the endomorphism ring of E to be

End(E) = Hom(E,E).

It is a ring with multiplication given by composition.

There is an inclusion of Z into End(E) given by m 7→ [m]E (the multiplication-by-m map).

Definition 15.11. We say E has complex multiplication if End(E) is strictly largerthan Z.

Example. Suppose char(K) 6= 2 and K = K, and let E/K be the elliptic curve

E : y2 = x3 − x.

Then, in addition to this copy of Z, End(E) contains an element [i]E with i2 = −1,given by

[i]E : (x, y) 7−→ (−x, iy).This defines an embedding Z[i] ↪→ End(E). In fact, if char(K) = 0 then this is all:

End(E) ∼= Z[i], via m+ ni 7→ [m]E + ([n]E ◦ [i]E).

Here are the basic properties of the group of isogenies and the endomorphismring in general:

Proposition 15.12. Hom(E1, E2) is torsion-free (since [m] is never zero for m 6= 0).Thus, in particular, the map Z ↪→ End(E) is indeed injective.

Proof. Suppose φ is a nonzero torsion element of order m. Then [m] ◦ φ = [0]. Buttaking degrees,

(deg[m])(deg φ) = 0.

Since [m] is non-constant, both degrees on the left hand side are positive: a con-tradition.

Proposition 15.13. End(E) has no zero divisors.

Proof. As above, if φ ◦ ψ = [0], then

(deg φ)(degψ) = 0,

so one of the factors is the zero map.

56

Proposition 15.14.rankZ(End(E)) ≤ 4.

Proof. Omitted. (It is hard).

Example. If char(K) ≡ 3 (mod 4) then equality may be achieved.

57

Lecture 16

Dual isogenies and the structure ofthe torsion subgroup

Cornelius Probst04 / 03 / 2005

16.1 Introduction

Some lectures ago, we tried to determine

∆(Q) = Etors(Q) =⋃m

Em(Q)

inE(Q) = ∆× Zrank(E)

Our approach was to look at E(Qp

). Provided

(E/Qp

)has good reduction, we

found an injection Em(Qp

)↪→ Em

(Fp). Assuming again good reduction, we then

stated results like

Em(Qp

)= Em

(Qnrp

)' Em

(Fp)' Z/mZ× Z/mZ,

this time provided that (m, p) = 1.For the proof, we needed the fact that multiplication by m has degree m2. We

didn’t show Em(Fp)' Z/mZ× Z/mZ either.

The main objective of this lecture is to complete these proofs. We achieve thisby introducing the dual isogeny.

16.2 Revision of last lecture

(R1) We defined Hom(E1, E2) := {isogenies ϕ : E1 → E2}

(R2) We defined the degree of an isogeny as

deg: Hom(E1, E2) −→ Zϕ 7→

[K(E1) : ϕ∗ (K(E2)

]58

(R3) An isogeny respects the group structure of E(K), i.e. is a group homomor-phism.

(R4) We proved: If ϕ : E1 −→ E2 is an isogeny of elliptic curves, then for allQ ∈ E2: ∣∣ϕ−1(Q)

∣∣ = degs(ϕ)

(R5) We found that Z ↪→ End(E) via the [m]-map, and that End(E) has neithertorsion as an additive group nor zero divisors.

16.3 The dual isogeny and deg[m]

Theorem 16.1. Given a non-constant isogeny ϕ : E1 → E2 of degree m, there existsa unique isogeny ϕ : E1 → E2 such that ϕ ◦ ϕ = [m]E ; hence the following diagramcommutes:

E1

ϕ- E2

E1

�

ϕ[m

]E-

Proof. We omit existence. The proof for this uses advanced algebraic geometryand can be found in Silverman, III, 6, Thm. 6.1.To show uniqueness, assume that ϕ 1 and ϕ 2 both satisfy the above condition.We then have

ϕ 1 ◦ ϕ = [m]E = ϕ 2 ◦ ϕ,which implies

[0] = ϕ 1 ◦ ϕ− ϕ 2 ◦ ϕ = (ϕ 1 − ϕ 2) ◦ ϕ.As ϕ is assumed to be non-constant, we conclude that ϕ 1− ϕ 2 = [0], which finallyforces the desired equality ϕ 1 = ϕ 2.

Definition 16.2 (The dual isogeny). Let ϕ : E1 → E2 be an isogeny. The dualisogeny to ϕ is the isogeny ϕ : E2 → E1 given by the above theorem. If ϕ = [0], we setϕ = [0].

Theorem 16.3 (Properties of the dual isogeny).

(a) ϕ ◦ ϕ = [m]E′

(b) Let λ : E2 → E3 be another isogeny and n := deg(λ), so that we have

E1ϕ−→ E2

λ−→ E3.

Then taking

E1cϕ←− E2

bλ←− E3

gives the dual isogeny, hence λ ◦ ϕ = ϕ ◦ λ.

59

(c) Let ψ : E1 → E2 be another isogeny. Then ϕ+ ψ = ψ + ϕ

(d) For all m ∈ Z, we have [m] = [m] and deg[m] = m2.

(e) deg( ϕ ) = deg(ϕ)

(f) ϕ = ϕ

Proof.

(a) The diagram

E1

ϕ- E2

E1

[m]

? ϕ- E2

[m]

?

commutes because of (R3). In particular, ϕ ◦ [m]E1 = [m]E2 ◦ ϕ.

(b) We note that(ϕ ◦ λ

)◦(λ ◦ ϕ) = ϕ ◦

(λ ◦ λ

)◦ϕ = ϕ ◦[n]E2◦ϕ =

(R3)ϕ ◦ϕ◦[n]E1 =

[m]E1 ◦ [n]E1 = [mn]E1 . Now apply the uniqueness of λ ◦ ϕ.

(c) Omitted. As usual, the reference is Silverman (III, 6, Thm. 6.2).

(d) The first statement is true for i = 0; 1. Using the above result, we obtain byinduction:

[i+ 1] = [i] + [1] = [i] + [1] = [i+ 1]

for all i ∈ N. Using [−1] = [1] and (b), we get the result for all i ∈ N:

[−i] = −[i] = [−1] ◦ [i] = [i].

To show the second statement, let d := deg[m]. Then one sees immediately

[d] = [m][m] = [m2],

which implies d = m2 because of (R5). We remark that there is an elementary,but “highly computational” proof for the latter statement. See Silverman,Exercise 3.7 for details.

(e) Again, let d := deg[m]. Then, using (d):[m2]

=[deg[m]

]=[degϕ ◦ ϕ

]=[degϕ · degϕ

]=[m · (degϕ )

](f) Once more, let d := deg[m]. We then note:

ϕ ◦ ϕ = [m] = [m] = ϕ ◦ ϕ = ϕ ◦ ϕ

60

16.4 The structure of the torsion subgroup

Theorem 16.4. Let m ∈ Z and suppose (m, char K) = 1, if char K 6= 0. Then [m]E isa separable endomorphism.

Proof. Consider the finite field extension:

F := K(E)

G := [m]∗E(K(E)

)m2

Assume that α ∈ F is inseparable. Hence f := mipoG(α) ∈ G[tp], where p :=

char(K). As np := deg(f) has to divide[F : G

]= m2, we get p |m. Contradiction.

Corollary 16.5. Suppose again (m, char(K)) = 1. Then

Em = ker([m]E

)' Z/mZ× Z/mZ.

Proof. As [m] is separable, we have∣∣ker[m]

∣∣ =∣∣[m]−1(0)

∣∣ (R4)= degs[m] = deg[m] =

m2. Similarly, we have∣∣Ed∣∣ = d2 for all d |m. So Em is abelian, of exponent ≤ m

and has orderm2. The structure theorem now tells us that Em '⊕

i Zpnii

. We mayjust look at the part with pi = p, i.e. we assume Em '

⊕i Zpni and m = pr. We

certainly have ni ≤ r, as Em has exponent m. If ni < r for some i, then (α)pr−1

= 0for at least

(pr−1 · pr

)elements α ∈ Em, i.e.

∣∣Epr−1

∣∣ ≥ pr−1pr > (pr−1)2. Thiscontradicts our observation made above. So we have in fact ni = r, which meansEm ' Z/mZ× Z/mZ.

61

Lecture 17

Hasse’s Theorem

David Geraghty07 / 03 / 2005

Recall from earlier lectures:

1. If E1 and E2 are elliptic curves over a field k we defined the abelian group

Hom(E1, E2) = {isogenies φ : E1 → E2}

2. We defined a function

deg : Hom(E1, E2) −→ Z

φ 7−→{

[k(E1) : φ∗k(E2)] if φ 6= 0;0 if φ = 0.

Note that deg(φ) > 0 if φ 6= 0.

Definition 17.1. LetA be an abelian group. A function q : A→ R is a positive definitequadratic form on A if:

1. q(−a) = q(a) ∀a ∈ A

2. The map A× A→ R ; (a, b) 7→ q(a+ b)− q(a)− q(b) is bilinear

3. q(a) > 0 if a 6= 0.

Lemma 17.2. The function deg : Hom(E1, E2) → Z is a positive definite quadraticform.

Proof. We have to show that deg satisfies the conditions of the previous definition:

1. Observe that−φ = [−1]E2◦φ. Taking degrees we get deg(−φ) = deg([−1]E2) deg(φ) =deg(φ).

2. Let 〈φ, ψ〉 = deg(φ + ψ) − deg(φ) − deg(ψ). We need to show that 〈·, ·〉 isbilinear. Recalling properties of the dual isogeny from the last lecture wehave

[〈φ, ψ〉]E1 = [deg(φ+ ψ)]E1 − [deg(φ)]E1 − [deg(ψ)]E1

= (φ+ ψ) ◦ (φ+ ψ)− φ ◦ φ− ψ ◦ ψ= (φ+ ψ) ◦ (φ+ ψ)− φ ◦ φ− ψ ◦ ψ= φ ◦ ψ + ψ ◦ φ

62

which is certainly bilinear in φ and ψ. Hence for all φ1, φ2 ∈ Hom(E1, E2), wehave

[〈φ1 + φ2, ψ〉]E1 = [〈φ1, ψ〉]E1 + [〈φ2, ψ〉]E1 = [〈φ1, ψ〉+ 〈φ2, ψ〉]E1

Recalling that Z ↪→ End(E1), we deduce that

〈φ1 + φ2, ψ〉 = 〈φ1, ψ〉+ 〈φ2, ψ〉.

Similarly we have linearity in the second variable.

3. We noted earlier that deg(φ) > 0 when φ 6= 0.

We now prove a version of the Cauchy-Schwarz inequality which we will needto prove Hasse’s theorem.

Lemma 17.3. Let A be an abelian group and q : A → Z a positive definite quadraticform. Then

|q(ψ − φ)− q(ψ)− q(φ)| ≤ 2√q(φ)q(ψ)

∀ψ, φ ∈ A.

Proof. By Definition 17.1, the map 〈ψ, φ〉 = q(ψ + φ) − q(ψ) − q(φ) is bilinear. Itfollows that q(0) = 0 and q(mφ) = m2q(φ) for all m ∈ Z and φ ∈ A.

Now, take any φ, ψ ∈ A. If ψ = 0, then the result is clear, so assume ψ 6= 0. Forany m,n ∈ Z, we have

q(mψ − nφ) = 〈mψ,−nφ〉+ q(mψ) + q(nφ)

= −mn〈ψ, φ〉+m2q(ψ) + n2q(φ).

Since q takes values in Z, by assumption, we can set m = 〈ψ, φ〉 and n = 2q(ψ) toget

q(mψ − nφ) = −q(φ)〈ψ, φ〉2 + 4q(ψ)2q(φ).

Now the left hand side of this equation is non-negative and therefore

q(ψ)[4q(ψ)q(φ)− 〈ψ, φ〉2] ≥ 0.

But q(ψ) > 0 since ψ 6= 0, so the result follows.

Let E be an elliptic curve over the finite field Fq where q = pr, for some primep. Observe that for any polynomial f(x, y) ∈ Fq[x, y], we have f(x, y)q = f(xq, yq).Choose a generalized Weierstrass equation

y2 + a1xy + a3y = x3 + a2x4 + a4x+ a6

for E, with each ai ∈ Fq. We define the (q-th power) Frobenius morphism

φ : E(Fq) −→ E(Fq)(x, y) 7−→ (xq, yq).

Lemma 17.4. Let E be an elliptic curve over Fq and let φ be the q-th power Frobeniusmorphism. Then

63

1. deg φ = q

2. For any m,n ∈ Z, [m]E + [n]E ◦ φ is separable if and only if p 6 | m.

Proof. Omitted - see Silverman pp. 30 and pp. 83

Theorem 17.5. (Hasse) Let E be an elliptic curve over the finite field Fq. Then

| #E(Fq)− q − 1 |≤ 2√q.

Proof. Choose a generalized Weierstrass equation for E and let φ : E → E be theq-th power Frobenius morphism, as defined above. Let P ∈ E(Fq). The coordi-nates of P lie in some finite extension L of Fq. We know that the extension L/Fqis Galois, with Galois group generated by the Frobenius automorphism (x 7→ xq).Hence

P ∈ E(Fq) ⇐⇒ φ(P ) = P.

Therefore, we have

E(Fq) = Ker(1− φ : E(Fq)→ E(Fq)).

By Lemma 17.4, 1− φ is separable and hence

deg(1− φ) = # Ker(1− φ) = #E(Fq).

Now, taking A = End(E) and ψ = 1 in Lemma 17.3, we get

| deg(1− φ)− 1− deg(φ) |≤ 2√

deg φ.

The result follows.

Example. Let K = Fq be a finite field with q = pr elements. Let f(x) ∈ K[x] be a cubicpolynomial which has distinct roots in K. We show that the values of f (evaluated atelements of K) tend to be distributed equally amongst squares and non squares: Define

χ : K∗ −→ {±1}

t 7−→{

1 if t ∈ (K∗)2;−1 otherwise.

We set χ(0) = 0. Since f has distinct roots, we can define an elliptic curve by the equation

E : y2 = f(x).

What is the size of E(K)? Well, for each point x ∈ K there are 1 + χ(f(x)) solutions ofthe equation y2 = f(x). Remembering the point at infinity, we see that

#E(K) = 1 +∑x∈K

(1 + χ(f(x))) = 1 + q +∑x∈K

χ(f(x)).

Applying Hasse’s theorem, we get∣∣∣∣∣∑x∈K

χ(f(x))

∣∣∣∣∣ ≤ 2√q.

64

Lecture 18

Introduction to Galois cohomology

Will Shapiro09 / 03 / 2005

It would be impossible to improve on John Tate’s notes at http://modular.ucsd.edu/Tables/Notes/tate-pcmi.html .

65

Lecture 19

Cohomology and Mordell-Weil

Sarah Zerbes11 / 03 / 2005

Let K/Q be a finite extension, E, E ′ elliptic curves over K. Let φ : E → E ′ bean isogeny over K.

Theorem 19.1.E ′(K)

φ(E(K))is finite.

Observation:

0 −−−→ E(K)[φ] −−−→ E(K) −−−→ E ′(K) −−−→ 0

is an exact sequence of GK-modules (where GK = Gal(K/K)).So we can take the long exact sequence on cohomology:

0 −−−→ E(K)[φ] −−−→ E(K) −−−→ E ′(K)

δ−−−→ H1(GK , E[φ]) −−−→ H1(GK , E) −−−→ H1(GK , E′)

The map δ is defined like so: given P ∈ E ′(K), takeQ ∈ E(K) such that φ(Q) = P .Then, define

δ(P ) : σ 7−→ σ(Q)−QSo we have a short exact sequence:

0 −−−→ E′(K)φ(E(K))

−−−→ H1(GK , E[φ]) −−−→ H1(GK , E)[φ] −−−→ 0

We can study this prime by prime. Let MK be the complete set of all places of K.For v ∈MK , write Gv = Gal(Kv/Kv). Then we have the exact sequence:

0 −−−→ E′(Kv)φ(E(Kv))

−−−→ H1(Gv, E[φ]) −−−→ H1(Gv, E)[φ] −−−→ 0

Choose an embedding K ↪→ Kv, which induces an injective homomorphismGv ↪→ GK .

66

We have restriction maps H1(GK , E[φ]) −→ H1(Gv, E[φ]), and these give us thefollowing diagram with exact rows:

0 −−−→ E′(K)φ(E(K))

−−−→ H1(GK , E[φ]) −−−→ H1(GK , E)[φ] −−−→ 0y y y0 −−−→ E′(Kv)

φ(E(Kv))−−−→ H1(Gv, E[φ]) −−−→ H1(Gv, E)[φ] −−−→ 0

So we also have a diagram (with exact rows):

0 −−−→ E′(K)φ(E(K))

−−−→ H1(GK , E[φ]) −−−→ H1(GK , E)[φ] −−−→ 0y y y0 −−−→

∏v∈MK

E′(Kv)φ(E(Kv))

−−−→∏

v∈MKH1(Gv, E[φ]) −−−→

∏v∈MK

H1(Gv, E)[φ] −−−→ 0

Definition 19.2. The Selmer group is defined:

Sel(φ)(E/K) = ker

(H1(GK , E[φ]) −→

∏v∈MK

H1(Gv, E)[φ]

)

The Tate-Shafarevich group is defined:

X(φ)(E/K) = ker

(H1(GK , E)[φ] −→

∏v∈MK

H1(Gv, E)[φ]

)

Remarks:(i) These definitions are independent of the choice of embeddings K ↪→ Kv.(ii) We have an embedding:

E ′(K)

φ(E(K))↪→ Sel(φ)(E/K)

Proposition 19.3. We have an exact sequence:

0 −−−→ E′(K)φ(E(K))

−−−→ Sel(φ)(E/K) −−−→ X(φ)(E/K) −−−→ 0

So, to show E′(K)φ(E(K))

is finite, it suffices to show that Sel(φ)(E/K) is finite.

Theorem 19.4. Sel(φ)(E/K) is finite.

Idea: Sel(φ)(E/K) ⊂ H1(GK , E[φ])We’ll show that every cohomology class is trivial on a large subgroup of GK , then“replace” GK by a more manageable quotient.

Let v be a finite prime of K. Let Iv ⊂ Gv be the inertia group of v (that is, Ivconsists of all the elements that act trivially on the residue field).

Definition 19.5. Consider a cohomology class ζ ∈ H1(Gv,M), where M is a finite GK-module.We say ζ is unramified if its restriction to Iv is trivial; that is, it has trivial image underthe restriction map H1(Gv,M) −→ H1(Iv,M)

67

Definition 19.6. Now let ζ ∈ H1(GK ,M), and let v be a finite place of K.We say ζ is unramified at v if its image (under restriction) in H1(Gv,M) is unramified.

Now, let m = deg(φ). Define a finite set of primes S ⊂MK like so:

S = {v : v divides m} ∪ {v : E has bad reduction at v} ∪ { all infinite primes}

Lemma 19.7. If ζ ∈ Sel(φ)(E/K), then ζ is unramified at v for all primes v /∈ S.

Proof. Take v /∈ S. Look at image of ζ in H1(Gv, E[φ]). Consider the followingexact sequence:

E(Kv) −−−→ E ′(Kv)δ−−−→ H1(Gv, E[φ])

f−−−→ H1(Gv, E)[φ]

Since ζ is in the Selmer group, f(ζ) = 0 so we have some point P ∈ E ′(Kv) suchthat δ(P ) = ζ .So we have Q ∈ E(Kv) such that φ(Q) = P and ζ(σ) = σ(Q)−Q for all σ ∈ Gv.

Note: that φ(σ(Q)−Q) = 0 for all σ.To see this, φ(σ(Q) − Q) = σ(φ(Q)) − φ(Q) = σ(P ) − P . But P ∈ E ′(Kv) soσ ∈ Gal(Kv/Kv) must fix P . So, φ(σ(Q)−Q) = 0.

In particular, ζ(σ) = σ(Q)−Q for all σ ∈ Iv.Consider reduction modulo v:

(σ(Q)−Q)∼ = σ(Q)− Q= Q− Q since σ ∈ Iv acts trivially on the residue field= 0

So (since v /∈ S, and φ(σQ−Q) = 0 so σQ−Q is anm-torsion point) σ(Q)−Q = 0;that is, ζ is trivial in H1(Iv, E[φ]).

68

Lecture 20

Completion of the proof ofMordell-Weil

Sarah Zerbes14 / 03 / 2005

Lemma 20.1. T ⊂MK a finite subset, M a finite GK-module. Let

H1(GK ,M, T ) = {ζ ∈ H1(GK ,M) : ζ is unramified outside T}

Then H1(GK ,M, T ) is finite.

Proof. GK acts continuously on the finite module M ; hence there exists an opennormal subgroup H EGK acting trivially on M . We have an exact sequence:

0 −−−→ H1(GK

H,M) −−−→ H1(GK ,M) −−−→ H1(H,M)

Since GK

His finite, WLOG we may assume GK acts trivially on M ;

so H1(GK ,M) = Hom(GK ,M).Now, if ζ ∈ Hom(GK ,M) then ζ factors through an extension L/K, unramified

outside T . Let k ∈ N be the exponent of M (so kx = 0 for all x ∈M ).In fact ζ must factor through the maximal abelian extension F/K of exponent kwhich is unramified outside T . By Hermite’s theorem, F/K is finite.

Now, combining Lemmas 19.7 and 20.1, and using the fact thatE(K)[φ] is finite(by the Finiteness Theorem), we deduce Sel(φ)(E/K) is finite, and the result weoriginally wanted follows.

69

Lecture 21

Sarah vs. Zacky

Vladimir Dokchitser16 / 03 / 2005

In this lecture, we want to explain why Sarah’s cohomological approach toproving the Mordell-Weil theorem for a general number fieldK agrees with whatwe did (in a more low-tech way) over Q in Zacky’s lectures.

Once again, let E be an elliptic curve given by the GWE:

E : y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6

Let’s briefly remind ourselves of some things we did earlier on. If E is definedover Q andE has a point of order 2, we can change co-ordinates (as we did before)to get E in the form:

E : y2 = x3 + ax2 + bx

We have the dual curve:

E ′ : y2 = x3 + a′x2 + b′x

(with a′ = −2a, b′ = a2 − 4b.)We also have the map φ : E −→ E ′ where

φ(u, v) = (v2

u2,v(b− u2)

u2)

There is a similar map φ′ : E ′ −→ E such that φ ◦ φ′ = [2]E′ and φ′ ◦ φ = [2]E .

Zacky’s Method In Zacky’s lectures we found∣∣∣ Eφ′(E′)

∣∣∣ and∣∣∣ E′

φ(E)

∣∣∣. We proved aformula for the rank of the curve:

2gE =1

4

∣∣∣∣ E

φ′(E ′)

∣∣∣∣ ∣∣∣∣ E ′

φ(E)

∣∣∣∣We also had the map:

α′ : E −→ Q×

Q×2

70

with α(x, y) = x unless (x, y) = O or (0, 0). This map had the property ker(α′) =φ(E), so α induces an embedding

E ′

φ(E)↪→ Q×

Q×2

Sarah’s Method Consider the isogeny φ : E −→ E ′ above. We have an exactsequence of GQ-modules:

0 −−−→ E(Q)[φ] −−−→ E(Q)φ−−−→ E ′(Q) −−−→ 0

So we can take the long exact sequence on cohomology:

0 −−−→ E(Q)[φ] −−−→ E(Q) −−−→ E ′(Q)δ−−−→ H1(GQ, E[φ]) −−−→ ...

This gives us an exact sequence:

0 −−−→ E′(Q)φ(E(Q))

δ−−−→ H1(GQ, E[φ]) −−−→ H1(GQ, E)[φ] −−−→ 0

We know that E[φ] = {O, (0, 0)} ∼= C2, and GQ acts trivially on it. Therefore

H1(GQ, E[φ]) = Hom(GQ, C2)

If we pick ξ ∈ Hom(GQ, C2) with ξ 6= 0, then ker ξ CGQ of index 2.Let L be the fixed field of ker ξ; then L/Q is a quadratic extension. Therefore ξ isdetermined by the quadratic field L = Q(

√n).

Note: Q(√m) = Q(

√n) if and only if n

m∈ Q×2; which is to say, ξ determines

an element of Q×Q×2 .

So we can rewrite our short exact sequence as:

0 −−−→ E′(Q)φ(E(Q))

−−−→ Q×Q×2 −−−→ H1(GQ, E)[φ] −−−→ 0

Recall Zacky’s α′ map:

α′ : E ′ −→ Q×

Q×2

(u, v) 7−→ u mod Q×2

(unless u = 0 or∞.)We want to compare α′ and δ. Recall how δ was defined: take some Q ∈ E(Q)

such that φ(Q) = P . Then

δ(P ) : σ 7−→ Q− σ(Q) for all σ ∈ GQ

So, what is the kernel of δ(P ) ∈ Hom(GQ, C2)?

δ(P )(σ) = O ⇔ σ(Q) = Q

⇔ P has a φ-preimage fixed by σ

71

Recall: P ∈ φ(E(Q))⇔ P = (u, v) with u ∈ Q×2 (for details see the end of lecture6.)In fact, it can be shown that P ∈ φ(E(K)) ⇔ u ∈ K×2 for a general number fieldK; although we won’t do that here.

Hence if we set L = Q(Q) (the field of definition of the point Q) then we have

δ(P )(σ) = O ⇔ σ ∈ GL

Note: L = Q(√u) where P = (u, v). In the language we were using before, if

ξ = δ(P ) then ξ determines the quadratic field L = Q(√u).

So, under the isomorphism

Hom(GQ, C2)−→Q×

Q×2

δ becomes the map(u, v) 7−→ u mod Q×2

so δ has become Zacky’s α′ under this isomorphism!

So, let’s compare the images of the maps α′ and δ.

Zacky: Im(α′) ⊂ 〈−1, p1, p2, ..., pn〉where the pi are the primes dividing b′.

Sarah: Im(δ) consists of cocycles unramified outside ∞, 2 and the primes {p :p|b(a2 − 4b)}Recall that ξ ∈ Hom(GQp , E[φ]) is unramified if its restriction to the inertia groupIp is trivial.Therefore, if ξ corresponds to Q(

√n), then Q(

√n)/Q is unramified at p; so (for

p > 2) p does not divide n. Now we know that α and δ are the same map, werecover the fact that

Im(α′) ⊂ 〈−1, 2, p1, p2, ..., pn〉where the pi are the primes dividing b(a2 − 4b).Therefore, Im(α′) is finite, so E′(Q)

φ(E(Q))is finite. This proves the Weak Mordell-Weil

Theorem.

The Selmer Group: Take ξ ∈ Hom(GQ, E[φ]). Let ξ correspond to Q(√n)/Q.

ResGQGQp

(ξ) ∈ Hom(GQp , E[φ])

If ξ ∈ Sel(φ)(E/Q), then Res(ξ) comes from E′(Qp)

φE(Qp). That is, there exists a point

P ∈ E ′(Qp) which maps to Res(ξ) under δ. So there is a point P = (u, v) ∈ E ′(Qp)

such that u ≡ n mod Q×2 (for every p). So, to identify Sel(φ)(E/Q) for concretecurves E, take all possible n ∈ 〈−1, 2, p1, p2, ..., pm〉 (as in Sarah’s theorem.) Foreach n, we check: for all primes p, does there exist P = (u, v) ∈ E ′(Qp) such thatu ≡ n mod Q×2 (and similarly over R = Q∞.)(Remark: It is sufficient to check such a P exists for p =∞, 2, p1, ..., pm.)

72

However, to identify E′(Q)φ(E(Q))

, we need to take all n and check for P = (u, v) ∈ E(Q)

with u ≡ n mod Q×2.

The Villain of the Piece: Recall the the Tate-Shafarevich group X(φ)(E/Q).The problem is that X(φ)(E/Q) may not be zero. In this case, ξ ∈ Sel(φ)(E/Q)does not imply that ξ comes from E ′(Q). Let

X(E/Q) = ker

(H1(GQ, E) −→

∏p,∞

H1(GQp , E)

)

Conjecture: X(E/Q) is finite. (When it is finite, a theorem of Cassels tells us|X(E/Q)| is a square.)

73